They found that about half of the usernames used on one site could be linked to another online profile, potentially allowing marketers and scammers to build a more complex picture of the users.
"These results show that some users can be profiled just from their usernames," says Claude Castelluccia, research director of the security and privacy research group at INRIA, and one of the authors of a paper on the work. "More specifically, a profiler could use usernames to identify all the site [profiles] that belong to the same user, and then use all the information contained in these sites to profile the victim."
A scammer could use this information to build a profile of a person and then target them with convincing phishing messages—perhaps referring to specific purchases on another website.
The INRIA researchers developed a way to determine how unique a username is, and a method of connecting usernames based on the information published to different sites.
Those who have more unique usernames are more vulnerable. "The other 50 percent of users are more difficult to link because their usernames have 'low' entropy and could in fact be linked to multiple users," says Daniele Perito, a doctoral candidate at INRIA, who was involved with the work.
The INRIA researchers have created a tool that can check how unique a username is, and thus how easily an attacker could use it to build a profile of a person.
Researchers are exploring ways that the traces of data that people leave on different websites and devices could be combined and used to track them.
Building profiles of consumers using online information has already become a major industry for marketers as well as cybercriminals.
Last year, for example, PatientsLikeMe.com, a website for those who use genetic testing services, caught marketing firm Nielsen scraping information from its users' posts.
Experts say users should avoid websites that openly publish their data. "It's not surprising that people use the same username in different places," says Avi Rubin, a professor of computer science at Johns Hopkins University who is currently on sabbatical as a Fullbright Scholar at Tel Aviv University.
"What's important is that people pick different passwords for different Internet sites, and that knowledge of their password for one site does not provide any useful clues toward deducing their passwords on other sites."