That slick maneuver is known as multipurposing—using personal data obtained in one account to break into other accounts—according to one security expert I spoke with earlier this week at the Online Trust Alliance’s Data Privacy Day Town Hall in New York City.
Here’s how it works. Once the criminal has your e-mail address, he tries to sign into accounts at some large banks or major shopping sites, claiming that he forgot his password. Some institutions will e-mail a “password reset” link or, worse, the password itself, to your address.
Assuming the criminal can read that e-mail because he had already stolen the e-mail password (as was the case in the theft of the Yahoo accounts), he will be able to set his own password for your bank or shopping account and likely have full use of it.
A criminal has a couple of other other reasons to go after your e-mail address and password.
He may be able to use them to figure out which institutions you have online accounts with, the better to target you with fraudulent phishing e-mails that appear to come from them.
Once he's in your e-mail account, a thief can send malicious software or a fraudulent web link to your friends, family, or business acquaintances. Appearing to come from you, such a message will probably be trusted, increasing the chance that the malicious attachment or fraudulent site will achieve its goal of compromising your friend's computer or online accounts.
The best way to protect yourself? Use something other than your e-mail address as your ID for bank account(s) and other online accounts that store your birth date, Social Security number, and other sensitive information.
Also, don't use an identical ID for multiple accounts. But even if you do, at least you’ve made it tougher for a criminal who has your e-mail address to break into those accounts.
Finally, be sure to use a strong password, and use a different one for each important account.