In the poker forums I frequent there is a lot of buzz about instant messaging accounts being hacked recently.
This can be serious business in poker, because some of the higher stakes players think nothing of sending over a few thousand dollars here or there whenever a friend needs it, surely to be paid back later.
There’s no threat of that happening to me. For one thing I just don’t have enough in my accounts to not make sure it’s not someone I’ve dealt with for on the forums for a long time. The list is short… and I wouldn’t do it out of the blue. But still some harm could be done if someone posing as me were approaching my friends via IM.
One of the ways the hackers gain access to the account is to approach the mark and talk with them conversationally and then drop a question in the middle of the conversation like “What’s your favorite food?” or “Where were you born? LA or San Francisco?” and you answer it, unknowing that what you’re really doing is giving away the answers to your secret questions that will allow someone to change the passwords on your accounts. The can do this from IM accounts they already hacked, so you think you’re talking to your friend.
This works for AIM, it can work for other accounts, too. E-mail accounts, credit card accounts, blogs… That’s how hackers got into Sarah Palin’s Yahoo e-mail account. They guessed (or knew the answers) to her ‘secret questions’.
Even accounts you wouldn’t expect to necessarily be vulnerable, or be worthy of hacking like Facebook accounts.
Some advice has been given out regarding how to answer secret questions. You shouldn’t use any that would be relatively easy to find out. Ones you don’t divulge in normal conversations. Information like favorite foods, name of your pet, or your zip code are fairly easy to share without remembering whether it’s a secret question or not. Or mix and match… whenever you’re asked your favorite pet put in the answer matching your elementary school question.
Also it might be a good idea to look at password managers, like RoboForm, which let you generate passwords on the fly and log into websites without storing the passwords in your browser.