Okay, my input on this.
Assume that I happen to see someone log out of KH Insider, leaving his account info on a public computer (or even
my computer... just makes it easier), and assume I had malicious intent. I'd write down that person's username and password, just to be sure, in case I mess something up. After that, I'd log in on KHI as said person, and go to "Edit Options" in the User CP. That would have said person's e-mail address displayed, plain for me to view. After that, I'd try my luck, and assume that two things are true:
- The person uses a free e-mail host like Windows Live or Google Mail (a.k.a. GMail), so I know where I could log in with that e-mail address, provided I have the password.
- The person uses the same password for KHI and e-mail, as he does for most other services. Sadly, this is overwhelmingly more often true than false.
If all goes well, I now have access to that person's e-mail account. I can now read that person's e-mail, and write e-mail under that person's name. If I want to be really sneaky, I change that person's password so that only I have access to it afterwards. After that, I'd try accessing sites like MySpace or Facebook, using the e-mail and password, to potentially gain even more information about that person.
BOTTOM LINE:
Having access to KHI credentials can be easily used together with common user habits to deduct further credentials from that person, including e-mail address, and personal details thanks to sites like Facebook and MySpace. Even if the person only accesses the information, but does not abuse it, it still is a major privacy invasion. What I posted above is only an example, and frankly, it doesn't even always work out as easily as that. Still, even if you fail with this 2999 times, there
will be a 3000th user who is vulnerable to this method. Make sure it isn't you.
Hope this helped you understand why you should always take good care of your credentials.