After the recent disclosure by Yahoo that hackers stole a bunch of data from them in 2014, I of course changed my Yahoo password. I could see in my 1Password file that I had last changed my password in 2014, probably after this reported incident in January 2014.
I used to use my Yahoo Mail account as my main email, back in the days before Gmail. Lately, I just use it when I have to give an email address to somebody I don’t really want to get email from. So, now, it’s a dumping ground for email from various retail store reward cards and stuff like that, and I check it only very occasionally. I should probably close it out entirely, but I do still need a Yahoo account for Flickr. I don’t use Flickr as much as I used to, but I still like it as a place to keep my photos.
This time, I also went in to Yahoo and cleared all of my security questions too. (Yahoo actually encourages you to do this, and switch to using two-factor authentication for password resets, instead of relying on security questions.) I’m more worried about hackers having the answers to those questions, than I am about them having my old password. Back when I first set up my Yahoo account, it was fairly common to answer security questions with, well, accurate responses. So the question about my first pet actually has the name of my first pet. Doing a full-text search in 1Password, I see that I used that “first pet” question on a number of other accounts too, and gave a correct answer in those cases also. And, checking on those accounts, I see that changing the answers to your security questions isn’t even possible with some accounts. (I guess they just figure that the name of your first pet is never going to change, so why let you change it? That probably made sense at the time.)
So, in some cases, I guess I’m stuck with a little security issue, if somebody in possession of that Yahoo data ever decides to try a password reset on an account where I used the same security questions. On nearly all of the important accounts I have, I’ve set up two-factor authentication, so hopefully that would kick in and prevent someone else from taking over the account.
Meanwhile, for accounts that still use security questions, I always make sure I answer them with random words that don’t relate to the actual questions and that are unique across all accounts. I know people who answer them with random GUIDs, but that might be a hassle if you ever have to recite them over the phone.