Changes to Website Logons -- Improve security? Or make it easier to hack?

 In the early 1970s, everyone in the military had a "service number."  Officer's numbers were a slightly different format than NCOs, Reserve officers had different prefixes than regular officers.  Then, at some point, the military decided to get rid of Service numbers and replace all of them with SSNs.  Not clear what that did for our security, but I think it reduced it.  Our SSN was used by banks and income taxes, but was not seen by anyone else.  Our service number was known by the service member and printed on our ID cards.  Of course, everyone probably loses their ID card somewhere during their tour of duty -- so who knows who gets those "private" numbers?

Back in the late 1970s and 80s, the military required everyone to have their SSN printed on their checks.  Of course, it wasn't a "military" requirement to do so.  We just could pay for anything at the Commissary, Base Exchange, Non-appropriated Funds etc, unless we presented a check with our SSN printed on it.  So if we wanted to cash a check, we had to have them printed with SSN.   Of course, then every business we paid with checks had our SSN and unscrupulous workers in those businesses could use them to hack our accounts.

I never understood the rationale behind making either of those changes, or what the Government gained by doing it!  It was a big transition, and it cost a lot of administrative labor to make it.  It took another decade until the 1990s before both of those requirements were changed and the SSNs were no longer on our military ID card.  It took pressure on Congress from military members and at least one General who had his account hacked.  

Now, it seems that websites are doing a similar inexplicable thing.  They are changing logon names to "valid email addresses."  A couple of the big businesses recently making that change are AT&T and Rocket Mortgage.  Before this change, a user could have a unique combination of numbers and letters as a logon -- and have a different one for each website.  That makes it much more difficult for a hacker.  Now, since email addresses are somewhat public, all hackers have the logon.  Half of their work is done -- all they have to do is then figure out the password!  All of these websites already have our email address in their database -- so they aren't doing it so they can collect our email address.  They are apparently doing it for some reason -- maybe to "simplify" their database?  They are saving one "field" out of hundreds at a time where digital storage is almost free!  

It is always interesting when such a change is made, the rationale for making the change is never explained, and the companies never seem to ask for any feedback.  They think they know best --and do not want to hear from any of their annoying customers.  

Credit Bureau's are organized crime and need to be regulated by Federal Government

I've always thought that our three credit monitoring bureaus (Experian, Equifax and Trans Union) were sort of a criminal enterprise.  They collect up information about us, sell it to anyone who is willing to pay, and charge us to even see what they collect.  I've always been concerned about the security of the data they collect about us.  How do they protect our data?  What happens if they don't protect it?
Last week we learned that Equifax "experienced" a massive data breach.  The NY Times said that the data breach could affect from 143,000 to 209,000 US citizens.  It has always been clear that the data bases maintained by these credit agencies is probably the most valuable, richest target in the cyber world for hackers.  So you would think they would have some of the absolute best security in the world.  But obviously, they didn't.  We also learned from Yahoo News that the hack took place over 9 years, was known about in July, but not announced to the public until September.  Between the discovery of the data breach, and the release of the news to the public in September, several Equifax executives were able to sell their stock before the stock price plummeted down.
The company then set up a website to supposedly tell citizens if their data was hacked.  It appeared to me that they used this data breach as an opportunity to get a whole lot of more private data from millions of more potential customers that they can market to.  Of course that new data now also could become vulnerable to hackers.  They also tried to get everyone who inquired to sign up to never being permitted to "sue" equifax and try to get everyone to sign up for their $30/month credit monitoring service.