[finnw]

I had a very insecure password on adobe.com. i.e. low-enough entropy that 55 users had the exact same password. I figured since Adobe do not have my credit card number and there is nothing to gain by impersonating me on that site, it did not matter. I have not used the same email/password combination elsewhere, but even if I did it would only be on other low-value accounts. I'm not worried about attackers finding it by association either (they will have it already from dictionary attacks.)

[dephex]

I had something similar happen to one of my Windows Live accounts. Someone somehow broke into it and, although I did not have any credit card information, they decided to continue to use it. They added a stolen credit card to the account. I received an email in japanese from Xbox Live (! I have never owned an Xbox, someone converted my account, nor do I speak japanese) at one point which prompted me to call their support and figure all of this out.

But the point I'm trying to get across is, if I were unlucky that could have turned into a HUGE mess where I was accused of stealing said credit card. Luckily that did not occur (probably because they could trace it to a separate IP address.. and I don't own an Xbox). I no longer use passwords as insecure as I did for that account - I had to deal with this headache while at my family's Christmas party as well (because that is when I received the email), which made it even more irritating.