Illustration: Lisa Hornung/TechRepublic

It’s human nature; most of us love to talk about ourselves or at least share details about our past and preferences. And social media loves that, too, since it gets people engaged and participating.

There’s just one problem, however: you might inadvertently or even deliberately give away details to strangers which might come back to haunt you, and not just with targeted ads, which are the least of our worries.

SEE: Security incident response policy (TechRepublic Premium)

It’s not just scandalous material that can do you in. Quite the contrary. The most normal (even dull) aspects of your lives might cost you in the form of identity theft, compromised accounts or stolen funds.

Case in point, the first iteration of social engineering on Facebook came in the form of would-be humorous topics like “Your celebrity stage name is your mother’s maiden name plus the street you grew up on! Post the results in the comments!”

This was a blatant attempt to harvest the answers to security questions matching these details, and fortunately most people (in my circle) were too savvy to fall for this.

But the questions have gotten more sophisticated and less suspicious. I’ve noticed a significant uptick in Facebook questions that ask users to answer seemingly innocent questions one wouldn’t think could put anyone in danger.

One question invited commenters to post how many miles they live from the place they were born. While I live an undisclosed distance from my hometown and thus posting the answer to this wouldn’t necessarily identify said hometown (unless someone with a compass and map wanted to triangulate which cities lie X miles from my current location), anyone who answers “zero” places themselves at risk. One look at their Facebook profile to see what they listed as their current city, and now you know the answer to a very common security question: “What city were you born in?”

SEE: How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)

Another great example is the common question: “What was the first concert you attended?” Hey, who doesn’t enjoy reminiscing about wonderful experiences? Just take a moment to gush about how great it was seeing the Rolling Stones in 1971, and chances are that now people know you’ve probably answered “the Rolling Stones” to any security question inquiring about your favorite band or, yes, the first concert you’ve seen.

Same goes for “Post the name of a pet you’ll miss forever.” Chances are that was your first pet, so once you type in “Fluffy” (not the name of my first pet) there’s another security question someone can answer on your behalf.

I proved this to a relative who was skeptical of such dangers. I knew her favorite song was “Stayin’ Alive” by the Bee Gees. I also knew her email address. I went to the web portal for her email provider, entered her account name and clicked “Forgot Password.”

Guess which security question came up which I had to answer to reset her password? If you guessed “What’s your favorite song?” you win the prize for today. All I needed was that one bit of information. She was appalled, and I advised her to change that answer immediately. I did not actually reset her password.

SEE: Cybersecurity: Don’t blame employees—make them feel like part of the solution (TechRepublic)

When creating accounts, I recommend not accurately answering security questions at all. There’s no requirement to do so. Tell them you were born in Snake River Canyon, Idaho, and your favorite band is Alvin and the Chipmunks, for all these sites care (no offense to Chipmunk fans). But make sure to use a password manager to store these fake answers securely, such as in Keepass. This works well because you can copy and paste the answers into web forms and you don’t have to worry about nit-picky details like forgetting to include a comma after the city you were born in followed by the state, thus causing your answer to be rejected.

Do I think every single social media quiz or question is a nefarious attempt to harvest personally identifiable data? No. I’m sure some are well-meaning and innocuous. I can’t at this moment envision how answering “Fried chicken or hamburgers?” puts you at serious risk UNLESS you have a related security question out there identifying your love for either, but you’ll likely, at the very least, start seeing tailored ads for chicken or burgers once you enter that answer. Err on the side of caution, and just keep scrolling.

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays