First, an apology: this diary will not be up to my usual authorial standards, as I’m writing it in a hurry. You can have fast, or you can have pretty. In this instance I’d go with fast if I was you.

By now you know that one of the big three credit reporting companies, Equifax, was hacked a while back, giving the bad guys pretty much all of the important personal information for about 150 million Americans (i.e., every living American resident who has a credit history). But you may not fully appreciate just how disastrous this was. The stuff the bad guys now know about you includes your credit history (who you bank with, what credit cards you hold, who owns the mortgage on your home, your student debt, your car loans, etc, and how punctual you are on making payments.

But wait...there’s so much more. Here’s just a sampling of what else Equifax knows about you...and therefore what me must assume the bad guys now know about you, too:

Your Social Security number

Your date of birth

Your place of birth

Your mother’s maiden name

Every address you’ve ever lived at

Your spouse’s name and your kids’ names (if you have any)...nicely linked to your name

The year, make, and model of your car(s)

Your email address and phone number

Plus, no doubt, other things even I’m not aware of.

Long story short: If I was the bad guy who hacked Equifax, I would now be perfectly positioned to open a bank account in your name, apply for a credit card in your name, or take out a loan in your name. And because those debts are in your name, you’ll be responsible for paying them off (unless you go through lengthy proceedings to successfully prove they are not, in fact, your debts...and during the months or years required to do so your credit will be totally screwed.

Here’s what you need to do now to protect your credit

Go to each of the big 3 credit reporting companies’ web sites and place a security freeze on your credit report (see detailed instructions below), and jot down the PIN number you’ll be given. What this means, in a nutshell, is that whenever a financial institution tries to pull your credit report, they’ll be told “sorry, there’s a security freeze on that file. You can’t have it.” Financial institutions always pull credit reports on prospective customers, so the practical consequence of this freeze is that neither you nor anyone else will be able to open a bank account or get a credit card or get a loan in your name. But don’t worry; any time you actually need to do one of those things, all you have to do is go back to those credit agencies’ web sites, enter the PIN number you got when you froze your report, and then choose to either temporarily or permanently unfreeze your report. Hey presto, you’re back in business...you can get that new bank account, or buy that new car on credit, and then refreeze your reports. Yes, this is a pain in ass. But it is all that stands between you and imminent financial ruin right now, so cowboy up and do it.

Here’s how:

Here are the URLs of the “freeze me” pages for the big 3 credit reporting firms. Go to each one, and follow the instructions there to freeze your report:

Equifax: www.freeze.equifax.com/…

Experian: www.experian.com/…

TransUnion: annualcreditreport.transunion.com/…

SAVE THE PIN NUMBERS THEY GIVE YOU. You’ll need them to unfreeze your reports at some later date. (If you lose your pin they’ll issue you a new one, but it’s a hassle).

Please be aware that freezing your report is not 100% certain to protect you. I can think of at least three ways around it for bad guys (which I’m certainly not going to discuss), but they are, at a minimum, difficult, and many bad guys will find them impossible. So freezing your reports is still MUCH BETTER than doing nothing, even if it’s not 100% protection.

But wait...there’s more.

Not only is your credit currently vulnerable as all hell, so too are some (not all, but some) online accounts of every sort that you have. Maybe your Amazon account, your Netflix account, your online banking accounts, your insurance accounts, pharmacy accounts, online brokerage accounts, whatever.

Here’s how that works. Think about the last time you forgot a site’s password. If the folks who designed that site’s security procedures were smart, they asked you for your email address and then they emailed you a new temporary password. Nice. This is hard for our bad guys (with all of your personal information, remember) to work around, because they don’t have access to your email account, so they can’t see that email, so they don’t know your temporary password (unless, of course, they’ve already hacked your email account...in which case you’re fucked). But if the folks who designed that site’s security systems are stupid (and there are a lot of those), then when you failed to log in the site presented you with a phone number to call, and when you called that number the nice lady asked you to verify your identity by telling her the last four digits of your SSN, and maybe your birth date, your address, and your email address...and then she gave you your new temporary password right there over the phone, instead of emailing it to you. Oy. This is a hacker’s wet dream. Because the bad guys know all the answers to all those questions, so they can call and get a temporary password for your account, then log into your account and create a new password, thus locking you out of your account and locking them in.

Fortunately, nowadays there are fewer and fewer businesses who handle “forgot my password” issues in this horribly insecure way, but there are still way too many out there. And I have to admit that I can’t think of a really good way to protect yourself now if you have accounts with companies that are doing it wrong. Sorry about that. Maybe somebody else out there has some thoughts on this point?