I’m on hold.
I’ve been on hold for several hours. Every few minutes a recorded voice interrupts the Muzak to promise that, despite evidence otherwise, my call is important. Right. The line suddenly cuts out. So I call again, and the Sisyphean cycle repeats three more times before I give up for the day. I’ll try again tomorrow.
This isn’t about tech support. I’m here for emotional support. More specifically, I’m trying to recover something lost, something important to me that technology has made inaccessible: my first email account.
A few weeks ago, while moving out my house, I found a shoebox full of old journals and letters dating back to middle school buried in my closet. Inside were notes from people I’d forgotten about, small trinkets my grandfather gave me, and other knickknacks tying me to the past. I thought about my first Yahoo email account—the one I made before middle school and used during most of high school—and the hundreds of emails I sent. I thought of the summer between 5th grade and 6th grade when Yahoo was how I communicated with a girl I was “dating” since neither of us had a cell phone, and I was too scared to call her house. I opened Yahoo, something I hadn’t done in years, and tried logging in. No dice. I had forgotten my password. I clicked on my security question:
“Where did you spend your honeymoon?”
The answer to this question is probably unforgettable in most cases. But I’ve never been married, so I've definitely never gone on a honeymoon. Yahoo tells me I accessed this account on November 24, 2009, and changed my security questions. I vaguely remember this. I had just turned 18, and I gave what I thought were clever, humorous responses—answers so ingrained in who I am that I couldn’t possibly forget. Five years later, I got nothing.
Maybe most people would give up, forget about this minor obsession, and move on with their lives. I try a different approach. If I proposed the question to friends and strangers online, would we be able to “hack” my account? What would it look like to crowdsource the answers to my security questions? To find out, I posted an open call on my personal blog asking people to guess where I spent (or where 18-year-old me thought he would spend) my honeymoon. I vowed to buy the winner a pizza or send him or her a to-be-determined gift in the mail.
And then I waited.
Guesses started streaming in.
To my surprise, within a couple hours someone figured out the correct answer: paris, with a lowercase “p.” I was relieved. But just as I thought I was about to access the old account, something terrible happened: a second, more challenging security question appeared on my screen.
“What is your main frequent flier number?”
I chose this question in 2009. As far as I know, I didn’t have a frequent flier number until this year. I tried some of the obvious numbers an 18-year-old might choose—my birthday, 420, 69—to no avail. Feeling discouraged, I put out another request for guesses on my blog. There were plenty of submissions; none were correct.
I sent an email to Yahoo explaining my situation. A few hours later, a response:
Thank you for contacting Yahoo. We appreciate the verification information you have provided so far. In order for us to proceed… provide the answer to the second security question. We're looking forward to your reply, Cort.
I listed all possible answers and clicked send. Minutes later, another reply:
Thanks for getting back to us. Unfortunately, the answers you have provided do not match the answers in our system. Without it, we will be unable to confirm your account.
Now I’m on hold again, after three more hours, and I’m feeling desperate. If Yahoo won’t help me, maybe someone who knows Yahoo security better than it knows itself can help. So I call a person who successfully hacked a high-profile Yahoo email account. (He asked that I refrain from using his name so that he could speak freely.)
“What you’re talking about isn’t so much hacking as it is social engineering,” he says. “You need to put yourself in the mindset of how you were five years ago.”
By social engineering, he means a non-technical way of gaining access to a system. “Sometimes you have to think outside of the box,” he says. “In your case, maybe ‘frequent flier number’ is code for something else in your life and not a number at all.”
In this hacker’s case, instead of trying to hack into software, or bypass security, he simply knew his victim’s email address and researched the correct answers to likely security questions so he could reset the password. This is where two-step verification security, a feature Yahoo now offers, would’ve kept him out. Two-step verification is also what could have let me back in. However, when I last updated my account security, two-step verification wasn’t offered, making it impossible for Yahoo to now verify my identity using my cell phone.
The hacker suggests he might be the reason I’m having such a hard time convincing Yahoo I am who I am. “People get inside systems by providing partial information all the time,” he says. “They say, ‘Look, it’s me. Now give me access to everything.’ After I did what I did, they changed the password recovery system. Maybe that’s why they won’t give you access. Sorry about that.”
And so, I turn to you, readers: Can you guess my forgotten answer to this security question? What number could I have entered into that box?
In the meantime, I pull up Yahoo and start guessing again, knowing that in all likelihood there will always be a vast archive of my childhood just a few keystrokes away, and forever out of reach.