The gravity of the Equifax breach is unique in that it is less about the number of individuals affected and more about the type of information that was stolen – particularly Social Security Numbers (SSNs).
Previous breaches (ex. Yahoo, LinkedIn, Myspace) have typically involved login credentials and are followed by password dumps and “credential stuffing,” in which hackers use bots to automatically cycle through enormous lists of stolen logins on other websites en masse (highly advanced bots can test over 1M credentials per hour) in an attempt to gain access to accounts using the same usernames and passwords. But passwords are an expiring commodity that is only valuable for a short period because changing a password is the suggested corrective action.
But SSNs cannot be changed. Concerned companies can't force their customers to reset their SSNs, so the impact is longer lasting than credential leaks. SSNs are permanent and thus represent a permanent risk. The same applies to birth dates and driver's license numbers, which were also stolen from Equifax.
So what is the real concern about the Equifax breach? Now a malicious hacker has a more complete picture of 143 million individuals. Their SSNs, driver's license numbers and addresses are used to verify their identity everywhere. The likelihood of these people being exploited through social engineering is now exponentially easier. If the thief was a nation state, intruding into a person's life is now much easier.
However, if the thief is just looking to monetize the information then it has value on the dark web, and could also be weaponized by bad bots to defraud the government and businesses all over the United States. How ironic would it be if the Equifax breach led to fraudulent credit applications that ruin the individual's credit scores?