Cybersecurity experts warn this common email habit is a gift to hackers
Your email address probably feels harmless. It is the thing you type into a shopping site, a streaming service, a booking platform, a rewards program, a ticketing website, a job application portal, and dozens of other accounts without much thought.
But cybersecurity experts are increasingly warning that our email address has become far more than a contact detail. In many cases, it is now our digital identity. It is the key that links together banking, shopping, travel, healthcare, business, social media, subscriptions, password resets, and private communication.
That convenience comes with risk.
For years, the standard approach to online registration has been simple. Enter your email address, create a password, and move on. More recently, many services have removed the password entirely, allowing users to log in with a one-time code sent straight to their inbox. Others encourage users to “Continue with Google” or “Continue with Apple”, making registration almost instant.
On the surface, this feels efficient. There is no new username to remember, no complicated setup process, and often no password to manage. But every time your email address becomes the login point for another service, it creates another connection back to the same central account.
Over time, your email stops being just another account. It becomes the place where your digital life is controlled.
If a hacker gains access to your email, they may be able to use password reset links, login confirmations, and one-time codes to access other services tied to that address. They may also be able to search through years of messages to find addresses, bills, bank communications, medical records, invoices, travel bookings, identity documents, contacts, and personal information.
That information can be used to commit fraud, impersonate you, target your accounts, or build a much more convincing scam.
One recent example involved a person who was contacted by their credit card provider about a fraudulent charge. At first, it looked like a standard case of card fraud. The transaction was for a high-value concert ticket purchased through a website they did not immediately recognise.
After investigating, they realised they had used that ticketing website once before. They had logged in using their email address and a one-time code. There was no password involved. All someone needed was access to the inbox, or the ability to trigger and intercept that login code.
The issue suddenly became much bigger than a credit card charge. The person’s email account contained years of personal details, previous addresses, financial communications, service registrations, and other information that could help an attacker map out their life.
It is also common for email addresses to appear in past data breaches. Once an address appears in leaked data, attackers can connect it to other services, test reused passwords, and identify where a person may be vulnerable.
The first and most important step is to enable multi-factor authentication, especially on your email account. Multi-factor authentication, often called MFA, adds another layer of protection beyond your password. Even if someone knows or guesses your password, they still need a second verification step to access the account.
For many people, the best option is an authenticator app such as Google Authenticator, Microsoft Authenticator, or a similar trusted app. These apps generate temporary codes on your device and do not rely on your phone number. The setup may feel unfamiliar the first time, but once it is in place, it becomes a simple habit.
It is also worth using more than one email address. Using the same email for everything flattens your whole online life into one identity. A more careful approach is to separate accounts by importance. For example, you may use one email for banking and sensitive services, another for shopping and subscriptions, and another for low-risk sign-ups.
This does not make you invincible, but it limits the damage if one account is exposed.
One-click logins should also be used carefully. “Continue with Google” and “Continue with Apple” can be convenient, but they should not be automatic choices for every website. When you use them, you may be granting that service access to parts of your profile, including your name, email address, profile photo, and sometimes other details. Always read the permission screen before approving access.
For business owners, the risk is even greater. Staff should be trained not to use corporate email addresses for personal accounts, shopping platforms, entertainment services, or unrelated subscriptions. When business emails appear in breached databases, they can draw attention to the company domain and increase the risk of targeted attacks.
Password managers are another practical layer of defence. A password manager stores and generates strong, unique passwords for each account, so you do not need to reuse the same password across multiple services. This is one of the simplest ways to reduce risk. Many people already have access to tools such as Apple’s Passwords app, while others may prefer dedicated password managers with business or family options.
The key is to use a different strong password for every important account, then protect the password manager itself with a strong master password and multi-factor authentication.
It is also important to rethink what you send by email. Email is often used casually for documents, financial information, identity details, medical records, and personal data. But once sensitive information is sent, you lose control over it. If your account or the recipient’s account is compromised, that information may be exposed.
Where possible, use secure portals provided by banks, medical practices, accountants, government agencies, or other organisations. If you need to send sensitive information, ask whether there is an encrypted or secure upload option instead of attaching documents to a normal email.
Your email account is one of your most valuable digital assets. It deserves the same level of protection as your bank account, because in many cases, it is the path back into your bank account, your identity, your private records, and your business systems.
For individuals, that means taking small but meaningful steps: turn on MFA, use strong passwords, separate sensitive accounts, and think carefully before using one-click logins. For businesses, it means training staff before something goes wrong.
Cybersecurity does not have to feel overwhelming. The most important habits are simple once someone shows you how to use them.
To build practical cyber safety skills for yourself or your team, explore The Hack Academy’s online courses here: https://training.thehackacademy.com/course/