Mother's maiden name. First school. First pet. The answers were once known only to the holder. Now they sit on genealogy sites that anyone can query, school alumni pages that anyone can read, and social posts written years ago by the person themselves or by relatives who tagged them.
The information was not extracted; it was published. Each fragment was published for a reason that made sense at the time. The aggregation across sources, by a determined reader, returns a complete enough answer to most security questions to defeat the recovery flows that still use them.
Major services have largely moved away from this kind of question. Smaller services, legacy accounts, and many financial systems have not. A principal with a long history of online accounts has a long tail of recovery routes that depend on facts no longer private.
The audit is dull but practical: open each significant account, find the recovery settings, replace any security questions with answers that are not the true ones (and write the false answers down somewhere safe), or remove the option where the service allows it.
·
Where this concerns a private individual, it warrants reading slowly.
More from the desk
Domain spoofing and the near-perfect email
AI voice cloning and the phone call from a relative
The quiet leak from a personal assistant
The recovery email on a domain you no longer own
The corporate credit card and the receipt leak
The leaked database and what resurfaces years later