As previously discussed, the Chinese fake-storefront scammers who have been using other people's Hotmail accounts to send spam have also been hijacking Gmail accounts. Talking to people who have had their Gmail accounts hijacked has revealed one interesting fact: everyone we spoke to had used the same password for both Gmail and Facebook.

At this point, our sample is very small, so it's too early to draw any definite conclusions. Nevertheless, it does raise an interesting possibility, which is that the scammers are acquiring the user's Facebook credentials first, and then checking to see if the user uses the same password for their Gmail (or Hotmail) account. If they do, the scammer now owns both their Facebook account and their webmail.

How could the scammers acquire the user's Facebook credentials? Assuming that there isn't some hideous undiscovered vulnerability in Facebook, the most plausible way would be by phishing, probably by faking a Facebook Connect button. With many users now accustomed to logging in on third-party sites using Facebook Connect, a fake button could potentially catch large numbers of unwary users.

Whether or not Facebook is involved, this illustrates an important point. If you use any service - such as Facebook - that uses your email address as your login or stores your email address, make sure that the password you use is not the same as the password you use to access your email. Otherwise, if your password is compromised on the other system, your email is also at risk. And a hacker who has access to your mail can do a lot worse than simply sending spam advertising fake Chinese e-commerce sites.