On Wednesday, business social network LinkedIn admitted that over six million of its users' passwords had been obtained and details posted online.
Graham Cluley, security expert at Sophos, told the BBC he worried the sites could have shared the same vulnerability.
"Can it be coincidence? It seems unlikely to me. There's a mystery in the middle of the LinkedIn breach about how they got the data. You have to worry there's a common vulnerability.
"The fact is, the only people who know are the hackers and maybe the companies concerned, but they may be struggling to work out what's happened.
"Is this the end of the story, or is there more to come?"
He reiterated advice suggesting users have different passwords for different web services.