Yahoo Hack Highlights Flaw with Security Questions [Updated]

By Michael Wilson | October 4, 2017

Overview of the Yahoo Hack

Yahoo has disclosed that 1 billion user accounts were compromised in August 2013. This is a separate incident from the previous disclosure in September 2016 of 500 million accounts breached in 2014. The compromised data includes:

Names
Email Addresses
Telephone Numbers
Dates of Birth
Hashed Passwords
Encrypted or Unencrypted Security Questions and Answers

When considering a breach like this, one of the first things to consider is: “Is the damage contained to this service?”.

When a company loses factual data about who you are, it can aid someone trying to steal your identity. Security questions are something that give many people a false sense of security while undermining their ability to protect themselves from identity theft.

Don’t Answer Security Questions Honestly

This advice may sound counter-intuitive but stay with me. You shouldn’t use real information when filling out security questions such as:

What is your mother’s maiden name?
In what city were you born?
What high school did you attend?
What was the name of your first school?

The problem with honestly answering these questions is that the answer is a fact about your life. Facts don’t change, and once an attacker has the information, there isn’t anything you can do about it. The answers to these questions also give insights into your home and family life which can help an identity thief complete the picture about who you are.

What Should You Do?

Understand Why These Questions are Asked: Security Questions are meant to be a user-friendly way of adding additional password layers to your account. The company doesn’t need to know the real information and they won’t check.
You Are Free to Give Any Response: You can enter anything you want when answering security questions. The only thing that matters is that you are able to answer the question at a later date when prompted.
Nothing Personal: A general rule is to reveal as little about yourself as possible.
Be Unique: If you have to fill out security questions, you should give them a random or nonsense answer that you only use for that single service.
Save Answers Securely: Since they will all be unique, use a secure password manager such as LastPass to securely store them for later reference.

Update: February 21, 2017

Yahoo has notified users that the breach may have been ongoing until much more recently. Potentially into 2015 or 2016.

More details from the Associated Press: Yahoo issues another warning in fallout from hacking attacks

Hopefully the cookie was forged by a state known for such delicacies. #yahoo #security #baking pic.twitter.com/7gCeEd3Y51
— Joshua B. Plotkin (@jplotkin) February 15, 2017

Update: March 15, 2017

The U.S. Department of Justice has indicted four people, including 2 Russian FSB officers, for the 2014 cyberattack on Yahoo which breached 500 million accounts.

Motherboard has a comprehensive breakdown of the story.

Update: October 4, 2017

There is now confirmation from Yahoo that the August 2013 attack affected all of their approximately 3 billion user accounts.

Original Date of Publication: 2016-12-15 | Updated on: 2017-02-21 | Updated on: 2017-03-15 | Updated on: 2017-10-04

Posted in Security and tagged Identity Theft, LastPass, Passwords, Security Questions, Yahoo

About Michael Wilson

Michael Wilson is a Digital Strategist who works with people to build, protect, and elevate their brands online.

View all posts by Michael Wilson →