The research by Cerrudo underscores the extent to which e-mail addresses have become the lynchpin of online identity. In recent years, popular web sites - Facebook chief among them - have dispensed with unique logins in favor of using the customer's e-mail address as an account identifier. Those sites then 'over share' information as part of the login process: disclosing whether an e-mail address already exists in their systems when users attempt to log in, or use password recovery features, says Grossman of WhiteHat Security.

Social networking and e-commerce sites are often designed to help users who are having trouble logging in -- for example, by indicating whether an account exists, but the password is wrong, or whether no such account exists, said Grossman, an expert on Web security. Attackers can use automated tools to "brute force" those features, gaining access to the accounts. Security features that limit logins from a specific IP address or use CAPTCHA-style challenge and response technology to prevent automated attacks aren't effective at stopping these attacks, Grossman said. Data from WhiteHat suggests that around 16% of all sites are vulnerable to that type of brute force attack.

"There's really no effective way to rate-limit logins," Grossman said. And social networking sites are caught between competing desires: securing account access and providing a quality user experience for customers who may have innocently forgot their password. "You can't have your cake and eat it, too," Grossman said.

Still, he acknowledged that the practice isn't without risks. Clever (and even not-so-clever) attackers could use knowledge of the link between the executives' e-mail accounts and the online service to assemble a profile of an executive, then craft a convincing phishing attack containing a malicious attachment. Attackers could also use the web sites' password recovery features and knowledge gleaned from publicly accessible sources to gain access to- and control of the executives' accounts. Things being as they are that same e-mail and password combination might provide access to other web sites and corporate resources, as well.

The problem is magnified by cloud services such as Apple's iCloud and Amazon.com's Amazon Web Services (AWS). In just the most recent example of this, an on Wired.com by writer Matt Honan described how malicious hackers were able to use knowledge of his e-mail address and some social engineering to take over that account and, then, use connected services to remotely erase both his computer hard drive and mobile phone. Knowing that high value targets like Microsoft CEO Steve Ballmer and Apple CEO Tim Cook use DropBox and what their account ID is, puts attackers just a couple of challenge-response questions away from taking over their account. That doesn't mean that those accounts hold any sensitive corporate documents, Grossman noted. But most malicious hackers or sophisticated attackers would at least have a go at hacking them in the off chance that the CEOs got sloppy, storing a document with high impact, he said.