Don't make your e-mail address your user ID

As the theft of Yahoo addresses shows, you increase your risk of ID theft

Published: January 31, 2014 11:25 AM

The news that thieves have stolen the e-mail address of millions of Yahoo users should serve as a warning if you've used an e-mail address as a user ID for a banking, shopping, or other online account.

Using your e-mail address to sign into accounts has its benefits. Your ID is unique and easy to remember, and it makes it simple for a service to contact with you when, say, you forget your password.

But in some cases, the risks of doing so could outweigh the benefits. Criminals can use that address as a master key to help them break into any other account for which you’ve used the e-mail address as an ID.

For more tips on how to hack-proof passwords, check our online security guide.

That slick maneuver is known as multipurposing—using personal data obtained in one account to break into other accounts—according to one security expert I spoke with earlier this week at the Online Trust Alliance’s Data Privacy Day Town Hall in New York City.

Here’s how it works. Once the criminal has your e-mail address, he tries to sign into accounts at some large banks or major shopping sites, claiming that he forgot his password. Some institutions will e-mail a “password reset” link or, worse, the password itself, to your address.

Assuming the criminal can read that e-mail because he had already stolen the e-mail password (as was the case in the theft of the Yahoo accounts), he will be able to set his own password for your bank or shopping account and likely have full use of it.

A criminal has a couple of other other reasons to go after your e-mail address and password.

He may be able to use them to figure out which institutions you have online accounts with, the better to target you with fraudulent phishing e-mails that appear to come from them.

Once he's in your e-mail account, a thief can send malicious software or a fraudulent web link to your friends, family, or business acquaintances. Appearing to come from you, such a message will probably be trusted, increasing the chance that the malicious attachment or fraudulent site will achieve its goal of compromising your friend's computer or online accounts.

The best way to protect yourself? Use something other than your e-mail address as your ID for bank account(s) and other online accounts that store your birth date, Social Security number, and other sensitive information.

Also, don't use an identical ID for multiple accounts. But even if you do, at least you’ve made it tougher for a criminal who has your e-mail address to break into those accounts.

Finally, be sure to use a strong password, and use a different one for each important account.

—Jeff Fox

E-mail Newsletters

FREE e-mail Newsletters! Choose from cars, safety, health, and more!
Already signed-up?
Manage your newsletters here too.

Electronics News


Cars Build & Buy Car Buying Service
Save thousands off MSRP with upfront dealer pricing information and a transparent car buying experience.

See your savings


Mobile Get Ratings on the go and compare
while you shop

Learn more