For the most part the unauthorized user will gain access to one site like the users Facebook profile, then from there be able to access email accounts, and any subscriptions linked to those accounts and alter passwords to prevent recovery. Depending on what the user has signed up to and the information stored in previous emails or emails sent after the intrusion the hacker can often alter the users entire online presence. The best defense against these attacks is to use unique passwords for all log ins and randomly generated characters to prevent hackers using social engineering question to guess your password.
