Passwords like those stolen from LinkedIn, owner of the world's biggest professional networking website, may not lead to many accounts being breached because criminals selling the access codes reap as little as US$1 ($1.20).
That compares with banking passwords, which can fetch US$15 to US$850 apiece, depending on the account balance, according to internet security provider Symantec.
The utility of stolen data varied by site, leading to price differentiation, said Francis deSouza, president of Symantec's enterprise unit.
Stolen social-network passwords have limited value to thieves because they generally can't take money directly out of the accounts, he said.
Hackers blocked from using the passwords on LinkedIn might still use them to infiltrate other sites if users access accounts with the same login.
"The reaction coming out of this breach is ... change your password on any sites where you've used the same password," deSouza said.
LinkedIn, based in California, said last week that 6.5 million user passwords were posted on a hacker site and the United States Federal Bureau of Investigation was working with the company on the security breach.
LinkedIn said that it hadn't received any verified reports of unauthorised access to member accounts. The company also said it disabled any passwords it found were potentially compromised.
Customers of CBS's Last.fm music site and EHarmony's dating site also had passwords stolen last week. Both companies suggested that users change their passwords immediately.
One way criminals have taken advantage of job sites such as LinkedIn is by creating fake accounts and linking them to hacked accounts.
Then they wait. The connection lets the perpetrator monitor the breached accounts for news that someone is changing jobs. Once that happens, the hacker might send an email pretending to be a new colleague or someone from human resources. If the unsuspecting user clicks on a malicious link in the message, the hacker can take control of the victim's computer.
LinkedIn said on its blog that many of the stolen passwords posted on a hacker site were "hashed", or encoded to be unreadable by outsiders. Still, some were decoded and published, the company said.