Your online accounts are about to be hacked.

Again.

Once they are, the hijackers will be able to take over your computer, drain your bank accounts, run up charges on your credit card, buy Amazon goodies in your name, lock you out of your email and cloud storage, read your sensitive business and personal documents, and snarf those embarrassing photos.

If you’re lucky, the bad guys won’t do all that (though some of them will, and all will have that option). What they mostly will do — and I know, because they’re already doing it to my friends — is steal your contact list. Then they’ll send scummy spam, in your name, to everyone you know.

Some of you have had to buy new computers, open new accounts, change passwords, and run new anti-virus software, because you already were hacked. But none of that will help if you walk into the next trap — the new trap — that’s now being laid for you. So here’s how to avoid it:

Do not — please, please do not — ever sign into any website using your log-in codes from a different website!

In other words, don’t use your Facebook username and password to sign into Instagram (or vice versa). Don’t use your Microsoft username and password to sign into Skype (or vice versa). Don’t use your Yahoo username and password to sign into Flickr (or vice versa).

Sure, you can do all these things, and more. The biggest web companies are encouraging you to cultivate this habit. But it’s a terrible habit! Convenience notwithstanding, it’s better to create a different account, with a different username and a different password, for each web service you use. Write them down in a notebook if need be, and keep it safe.

Now I know it’s a royal pain to keep multiplying usernames and passwords. I probably have more than most of you. And I know how strong the temptation is to recycle log-in codes, using the same ones in multiple places. Saves work for us. Saves a whole lot more work for the crooks looking to steal our lives. The convenience isn’t worth the risk.

The seeds of this log-in apocalypse have for some time been spreading and germinating. It works like this: Facebook buys Instagram, and thus wants you to use your existing Facebook username and password to sign into Instagram. So suddenly every Facebook account is also an Instagram account, and vice verse. Facebook enjoys a massive upsurge in its already bloated user base.

Microsoft does the same with Skype. Yahoo does it with Flickr; Google, with YouTube. Please note: These are legitimate log-ins, or would be if they stopped there. But there’s a problem…

A problem that’s especially exacerbated by the worst offender: Facebook now is signing up legions of other companies, all over the web, with deals to let you use your “Facebook log-in” for their websites. This lets Facebook track you and sell your private “profile” to other companies, which then follow you around the web with personalized ads.

Web stalking, though, still isn’t the problem. Here it is:

All the web’s largest companies now are conditioning us to feel that it’s okay — that it’s normal and expected — to use their log-in codes for other, smaller companies. Even companies we’ve never heard of. But that isn’t okay.

This new online culture is so pervasive we can’t possibly keep track. We don’t really know, and can’t remember, which usernames and passwords we can legitimately use with which other websites. Just yesterday, this risky practice would have raised red flags and set off clanging alarm bells. Today, it suddenly feels like the safest, most natural habit in the world!

Until we use, say, our “Gmail log-in” to enter a friendly-looking website really run by the Mafia. Or by a teenage hacker in Estonia, or Nigeria, or — let’s see, what’s really scary? — Knoxville, Tennessee.

What I’m already noticing is how crooked websites having no connection with Google now invite unsuspecting visitors to “sign up” using their “Gmail login”. Or sites not affiliated with Facebook tell visitors to log in using their Facebook credentials. Sites having nothing to do with Microsoft brag how you can “join” using your passwords for Outlook, Hotmail, SkyDrive, Skype, or other Microsoft accounts.

The moment you fall for this, they’ve got you. They can now read all your email and learn where you bank, where you shop, where you store your medical records, and what all your other passwords are. Even if you don’t store passwords in the cloud, they can use your email log-in to reset your passwords for accounts they couldn’t otherwise access. (Remember how the “I forgot my password” business works?)

Cases in Point

This sting has caught, so far, only two of my friends; but I’m reading online about scores of other people falling for it. It wouldn’t surprise me if this becomes the next big web scandal.

I spotted this this trend after receiving a “private message” from a good friend, supposedly sent through a web outfit called Zorpia. I could “click here” to “access my message”. I didn’t click, because I knew if my friend really wants to send me a private message, he has my email and phone data.

My friend assures me — and I believe him — that he never heard of Zorpia. Apparently he was simply in the contact list of someone else who fell for Zorpia’s come-on: “Sign up using your Gmail log-in!” Zorpia promptly stole that other person’s address book, which included my friend. He’s now being used, without his consent, to spam Lord knows how many more people.

The Zorpia spam-note ended with a list of “other Zorpians waiting to meet” me. Two alluring females, plus two handsome guys, one of them with a woman’s name. In terms of blatantly sexual enticements, Zorpia seems bent on covering all bases.

Wikipedia says Zorpia is a “social networking service, popular in India and China, that uses unethical methods such as spamming, scamming and phishing to recruit users”. Read the details here. But are such methods effective?

Well, Alexa Internet ranks Zorpia among the 6,000 most frequently visited websites in the world. Considering how there are millions (or is that by now billions?) of websites, Zorpia is among the largest. Probably in the upper one percent, and rising. It operates out of Hong Kong and — despite its sleazy tactics — may even be breaking no laws.

Another friend finds her name being used to send “invitations” from something called Flipora. Which she, too, assures us she never heard of! Yet she’s being blamed by angry friends and family who are being pestered, or taken advantage of, by Flipora. (The latter apparently is too new to have a Wikipedia expose, at this time.)

Both Zorpia and Flipora, from what I read on the ‘Net, are like bulldogs that won’t let go: Once they get their teeth into you, it’s over. If you have an “account” with them, you can’t delete it, which makes sense since they probably opened it in your name without your knowledge. Ditto for any software they install on your machine: Good luck rooting it out.

But Zorpia and Flipora may well be mosquitoes, compared with the horde of zombie hacker-spammers approaching. All of them crooning: “Sign in with Gmail! Sign in with Hotmail! Sign in with Yahoo! Sign in with Facebook!”

Please! Just. Don’t. Do. It!

Do any of you have experience with Zorpia, Flipora, or other spam sites trying to trick us into giving up sensitive log-in details? Has your contact list been harvested without your knowledge? Please share your thoughts using the comments box.