Past social engineering Capture the Flag competitions have targeted iconic firms like McDonald's, WalMart, Microsoft, Google, Ford and Pepsi. The results suggest that even wealthy, sophisticated companies are ill-equipped to fend off sophisticated social attacks that use publicly available information to help gain the trust of intended targets. Companies should make their employees aware of the risks of using their corporate e-mail on social networking and other consumer sites, said Grossman. "They need to know what the trade-offs are, and make a decision based on their tolerance for risk."

As for the web site owners, attention to account security varies. Many large consumer banks have abandoned the use of e-mail addresses as account identifiers, Grossman said. But social networking and other sites value convenience and ease of access more highly.

Security conscious firms should think about treating the user ID like a separate password -- unique and difficult to guess, and separate from other corporate identifiers like an e-mail address, Grossman said. That makes it all the harder for attackers to know which account to focus their attention on.

IOActive Security scanned 30 prominent web sites uncovering 840 unique email addresses of C-level executives linked to 930 online accounts. Here's the breakdown by site category and linked accounts.