Crowell is right; most people do reuse their passwords, said E.J. Hilbert, a former U.S. Federal Bureau of Investigation agent who is now president of fraud investigation company Online Intelligence. It's a bad habit that needs to change. "You need to use different passwords for different sites. Period. Across the board," he said.
In a sense, Crowell was lucky. The hackers didn't break into her email account. When that happens, things can become much worse because hackers can often access other Web accounts by claiming to have forgotten their password and asking for a new one to be sent via email.
There are often treasures in the victim's sent mailbox and archives. Old email messages often include personal information that can be used in further attacks, and a surprising percentage of email accounts also include nude or embarrassing photos.
Finally, criminals can use the email addresses to send malicious software to military and government employees, in what could be the first stage of a larger attack, Hilbert said. These targeted spearphishing attacks are a big problem for the government and military contractors, and have become a standard way for hackers to break into secure systems over the past half-decade.
"Government email addresses should not be used for non-governmental work, and if they are there's a huge, huge problem," Hilbert said.
Although she knew she was making a mistake by reusing her password, Crowell was still "shocked" when she discovered the fraud. "It's one of the things that you hear about all the time, but you never think it'll happen to you."