They've almost certainly got a "forgot my PIN" flow, too. Otherwise a forgotten PIN would mean a lifetime loss of access to credit.

What do you want to bet it uses stuff like your SSN to verify?

For Equifax, you are exactly right [1]. If you lose your pin you just ask for a new one and provide some basic form of id.

[1] https://help.equifax.com/s/article/ka137000000DS9XAAW/What-d...

Yeesh.

> Please provide proof of identification, such as a copy of your driver's license, passport, birth certificate or other proper identification forms.

Given that the hack included name, SSN, date of birth, and address, a fake copy of one of these should be incredibly easy to generate.

edit: Driver's license numbers were also leaked in some cases. Fun.

Even worse: In a number of states, the DL number is deterministic based upon name and DOB.

http://www.highprogrammer.com/alan/numbers/dl_us_shared.html

I don't know if it's still the case, but Virginia used to your SSN as an ID. There was an opt-out for that, which I exercised about 25-30 years ago, so I don't know if that policy is still in place.