Daily Archives: December 15, 2016

A little secret

Yahoo admits to a billion customer records being compromised.  The numbers are staggering, but the news of the exploit is mundane.

Doubtless the raw numbers are very largely inactive accounts.  People who long-since stopped using Yahoo accounts.  People who signed up with some other company that subsequently got borged by Yahoo.  People who once signed up to access some service but never used the accounts.   Etcetera.  Just as with social media numbers (even just the number of followers of this humble blog), to be taken with a big pinch of salt.

Nevertheless, that’s a billion signups.  Allowing for fakes and duplicates, that might be a nine-digit number of real people who once answered security questions.  That’s a bunch of answers that, unlike passwords, travel with the user across multiple services, not just online but also those you might access by other means such as the ‘phone or even face-to-face.  The name of your first pet or your primary school are no more secure than the classic mother’s maiden name.

And now a billion such records have leaked.  Give or take: we don’t know how many users ever were genuine, nor how many such questions and answers each genuine user disclosed.

So what does it mean if you’re one of the billion?  If someone wants to steal your identity, your security questions and answers have passed from the realm of something they have to research to something easily automated.  Well, we don’t know that for certain, but it’s certainly a risk that can no longer be dismissed.

You’d better change your security questions everywhere that matters.  What do you mean, you can’t remember which questions you signed up to Yahoo with twenty years ago?  Don’t tell me you can’t change the city of your birth, or the initials of your first lover.  Oh dear [shakes head].

And even if you’re not one of the billion, you may already have started to get the phishing emails purporting to be from yahoo (or others) about changing passwords.

I’ve argued here before that security questions are not fit for purpose.  Perhaps the Yahoo leak might help persuade the world to stop using them for things that matter!