The Federal Trade Commission said Thursday it has opened an investigation into the Equifax data breach, which resulted in the data of as many as 143 million consumers being exposed to hackers.

If past is prologue, the outcome of any investigation or legal action from the FTC won't equate to any fines being levied against the Atlanta-based credit bureau. The agency doesn't have any power to do that. Instead, the probe likely will conclude with a legal settlement where Equifax promises to shore up its tech and agree to auditing. Earlier this month, for example, the FTC announced the conclusion of its look into Lenovo's conduct of pre-installing man-in-the-middle adware. In the end, the agency ordered the company to disclose to consumers if it was going to install the software on new computers, and the organization ordered outside monitoring of Lenovo's compliance. Lenovo, of China, admitted no wrongdoing.

In the Equifax mess, the agency also issued a warning Thursday to consumers to be wary of nefarious and fake Equifax employees calling to verify your stolen data. Don't give it to them, the FTC says, as it's not Equifax calling—scammers are randomly calling people and posing as Equifax employees "to verify your account information."

In this public notice, the FTC informs readers that "They’re not from Equifax. It's a scam. Equifax will not call you out of the blue." If you participated in one of these calls, here's what the FTC says you should do:

"If you gave your personal information to an imposter, it’s time to change any compromised passwords, account numbers or security questions. And if you’re concerned about identity theft, visit IdentityTheft.gov to learn how you can protect yourself."

The FTC announcements came the day after Ars reported that the Equifax breach was accomplished by hackers exploiting a Web application vulnerability that had been patched more than two months earlier.

Ars' security editor, Dan Goodin, reduced it to this:

Thursday's disclosure strongly suggests that Equifax failed to update its Web applications, despite demonstrable proof that the bug gave real-world attackers an easy way to take control of sensitive sites.

What's more, Equifax didn't help its public image by having vague terms of service (ToS) on its website. Its ToS suggested that by accessing the site to find out if you were a victim, you had to waive your right to sue. Equifax later added language to the site to clarify that consumers were not forced into arbitration by visiting its site.

For further information on dealing with the fallout, Ars IT editor Sean Gallagher has a post on how to protect your credit if your data was exposed. The security flaw on the Equifax website exposed full names, Social Security numbers, birth dates, addresses, and, in some cases, drivers license numbers.