When large-scale data breaches and hacking events first became headline news, thieves were after credit card information, debit card accounts, and other payment details. But the problem with that type of low-hanging fruit is it’s all too easily changed. Within moments of the first fraudulent transaction–if it even goes through–consumers can be alerted by their banks, those accounts terminated, and new accounts opened in what has become an almost seamless process.

yahoo

The Yahoo logo is shown at the company’s headquarters in Sunnyvale, California April 16, 2013. The company will release its quarterly results on Tuesday. REUTERS/Robert Galbraith (UNITED STATES – Tags: BUSINESS)

Now, savvy hackers have shifted gears towards more permanent information. Social Security numbers and NHS numbers are the Holy Grail of consumer data, of course, but there are a few surprising and overlooked options that are tempting as well.

While everyone has been so focused on account security and using strong, unique passwords on their online accounts, a lot of people overlooked the one account that affords a thief access to all of the others: email accounts. With the propensity to reuse user names and password, combined with the fact that your email account is where all “forgot my password” reset links go, gaining control over large numbers of email accounts will prove lucrative.

But last week’s revelation that Yahoo was hacked, an event that is being called the largest data breach in history, sheds some light on a whole other type of permanent information that hackers want. Despite the fact that the stolen information dates back to 2014 (and the fact that a significant number of users haven’t changed their passwords since then), hackers stole a malleable but semi-permanent piece of information: security questions and answers.

Face it, when you open an account and have to provide answers to two different security questions, there’s a really limited number of questions. Whether it’s mother’s maiden name, street you grew up on, name of first boyfriend or girlfriend, etc., that information isn’t going to change. You’re stuck with it. While the questions may eventually vary, it will circle back to information that you can easily recall and is limited in its open-ended scope.

Theoretically, you could lie when you answer the questions, say, listing your mother’s maiden name as Smith when it was actually Jones. But if you do that on any other site, you’re back to providing information that hackers can reuse against you.

Until the fantasy world of impenetrable servers becomes a reality, consumers still only have the fallback of a strong, unique password that is changed frequently, often enough to keep old information from coming back to haunt you.