An iProduct game called Hack RUN gave me cause to think. In Hack RUN you assume the role of a disassociated, burned, programmer type offered a job to crack level after level of a computer network for a mysterious future employer.

Hack RUN asks you to start with one piece of information and deduce answers to consecutive riddles using an old school 3270 terminal. One thing leads to another, and like the fabled sweater, the whole thing unravels. 

What would today's hacker pull on to unravel our sweater?

I think they'd pull on our personal email account. After all, it follows you through much of your life, longer than work email accounts anyway, and you use it to set up all other accounts in your online world. 

Most people aren't going to have their own personal domain name, or even want one. So we turn to free email account providers and an email address that ends in @yahoo, @gmail, @icloud, @cetera @cetera @cetera. I guess you could make an argument for hiding in plain site, but the reality is that hackers are going to attack the largest herd of possible victims, and there we are, setting up our free email account only to become part of the big herd.  

Once we settle on a name that's not already in use we have to provide a password, one that's easy to type and remember. The most popular Yahoo passwords, those used on 400,000 hacked Yahoo accounts, are 123456, password, welcome, ninja, abc123, 123456789, 12345678, sunshine, princess and qwerty.  Add monkey, letmein, dragon, baseball, iloveyou, trustno1, shadow, ashley, football, jesus, michael, mustang and password1 and you pretty much have the top 25 of the herd.

Now that we have a personal account, in the most likely attacked community, and the top passwords are public knowledge, we use it to set up all our other accounts in our online world. If these email accounts and passwords aren't the username and password for our other accounts, they are most likely what "reset my password" and "I forgot my username" are attached to.

Sometimes we don't even use these accounts. Sometimes we only keep them around for the very reason they are so dangerous, because they're tied to every other account we've set up in our online world.

Once your email account is compromised your attacker can login to your account and view your email, or change settings to have it sent to them, even check a box to allow their Outlook to send and receive using your account. All things you can do from your settings, no special hacker skills required. Now the hacker can access your email, and you won't even know.

Your email indicates websites where you shop, where you're likely to have accounts, and hackers already have the key. An order confirmation, a special offer, or newsletter tells a hacker exactly where to go. It doesn't matter if your email address and password gets them in or not. All they have to do is click "I forgot my username" or  "reset my password" and your credentials, or a password reset, will be sent to them using your personal email. 

Now they have your credentials and can login to your account, use your saved credit card information, and go shopping. They can delete or reroute order confirmation and tracking information emails, all things you can do from your settings, and you wouldn't even know.

The rest of it isn't rocket science, or more importantly for Cocktail Talk, computer science, but the February 2008 Cocktail Talk tells you a little about how they get from there to cash money using ebay and overpriced cell phones.