An attack on online gossip site Gawker Media has enabled spammers to take over thousands of Twitter accounts.
Gawker said on Sunday its servers had been hacked and 1.3 million user account passwords compromised.
A file containing those details was then published on a file-sharing site by a group allied to the notorious image board 4Chan.
That enabled spammers to break into thousands of Twitter accounts where users had used the same passwords.
Gawker published a statement on its homepage advising its users to change their password after its servers were attacked.
While the stored passwords were encrypted, "simple ones may be vulnerable to a brute force attack", it said.
A group calling itself "Gnosis" subsequently released a 500MB file containing the data taken from Gawker on the file-sharing system Bittorrent.
The motivation for the attacks is not yet clear.
Gawker has previously been targeted by hackers after posting blogs critical of 4Chan.
The attackers also took over Gawker-run Twitter accounts to publish messages supporting Wikileaks.
Gawker has also published blogs critical of Wikileaks founder Julian Assange.
And it is not just Gawker's Twitter accounts that have been broken in to.
Del Harvey, who heads Twitter's trust and security team said a spam attack on the site appeared to be related to the theft of Gawker's account details.
Hundreds of thousands of Twitter users had seen their accounts compromised and messages sent promoting an Acai Berry diet.
"It's all too common that people use the same password for multiple accounts," Rik Ferguson, a security researcher at Trend Micro told the BBC.
Anybody that has had their Gawker account details published can expect to be targeted by other hackers, said Graham Cluley, a consultant at security firm Sophos.
"Every identity thief, hacker and spammer out there will be attracted to that password file," he said.
The impact would have been more serious if compromised accounts had linked to sites containing bank-credential-stealing malware, he added.
Users could protect themselves by creating complex passwords for each online service that needed a password, said Mr Ferguson.
Complex passwords can be made easy to remember, he said.
He suggested taking a the first letters from the words in a phrase a user is likely to remember, such as "I wandered lonely as a cloud".
Some letters can be replaced by symbols, perhaps using "@" instead of "a".
Finally, adding the first and last letter of the website being visited to that phrase creates a unique but memorable password that is hard to guess, he adds.