Return of the password reset attack
Most people know of the Sony PlayStation Network/Qriocity Service breach by now. I think most people know that they need to change those account passwords when they can access the network again. I hope people know that if they used the same password in other places, they need to change those passwords as well. Sony doesn't seem to know if credit card details were breached, so many people are cancelling the credit cards used in conjunction with their Sony accounts.
The insidious threat that many people may miss is the compromise of the answers to password reset questions. That was some of the data that was reportedly compromised in the breach, and has perpetual consequences if you do not change your security reset answers on other sites as well.
The way the password reset attack works is that a hacker tries to log into your account. It may be an email account, a social networking account, a blogging account, or another type of online account. The hacker clicks the link for “I forgot my password” and is challenged with security questions. Having obtained the answers from the Sony data breach, the hacker knows the answers to the reset questions and is now able to commandeer your accounts, depending on the mechanism that particular sites use in conjunction with the security challenge questions.
I have long advocated using an incorrect answer to security challenge questions, but in this case the hacker would have the incorrect answer. If you are one of the victims of the Sony breach, do not overlook the significance of the challenge questions. You need to determine each site you are signed up with, and if they use any of the same security challenge questions that were used on the Sony site. Failure to change the answers may leave your other accounts vulnerable to cybercriminals performing password reset attacks.
