Are we still too gullible when it comes to the internet, asks technology analyst Bill Thompson?
It may be small comfort, but at least AOL's 30 million customers now know one of the reasons why they get so much spam.
We regularly hand over personal information online
An AOL engineer named Jason Smathers has just been charged under US anti-spam law for sending out adverts for an online gambling site. He apparently took advantage of his access to the company's internal network to steal information about all 92 million registered screen names.
And once he had used the names himself, he sold them to spammers for tens of thousands of dollars.
In fact the theft probably did not add much to the tidal wave of spam washing over AOL customers, since programs which generate random screen names and e-mail addresses are common.
But the apparent ease with which the AOL list could be stolen, and the company's failure to realise that this had happened, is disturbing.
It seems that even though the company was aware of what it calls intrusion queries being made on its customer database, it did nothing to investigate them until another employee who had been helping Mr Smathers tipped them off in April this year.
Now Mr Smathers and another AOL employee, Sean Dunaway, have been charged with conspiracy and may in fact go to jail for using the addresses to send out spam.
Guarding our data
It is worth noting that there is no general data protection law in the US. If Mr Smathers had stolen credit card details then he could have been charged under privacy law, but just taking details of e-mail accounts is evidently fine.
And AOL itself will not be charged for being reckless with the personal details of its customers, because the US government believes that the market should deal with companies who do not take care of personal information.
I wonder how many people are going to cancel their AOL accounts and go through all the hassle of telling friends about their new e-mail address?
Over here we have a very different view, and European data protection legislation is among the most restrictive in the world, reflecting our belief that people have a right to control how their personal details are used and that it should be backed up by law and not simply rely on imperfect consumer knowledge.
Unfortunately our law does not apply to US companies who trade online in Europe, as the European Commission has agreed that they only need to agree to a very watered-down set of privacy principles, called a "Safe Harbor".
Even this minimal standard is not taken very seriously, so it offers little real protection - it is unlikely that any UK-based AOL customers would have any success trying to sue the company.
The theft of the addresses raises a much wider issue for net users, because it shows just how much we have to lose when our trust is breached by companies we deal with, and how little comeback we have.
And it highlights how little we consider the issue in our day-to-day online lives.
A question of trust
We trust our internet service providers, even though they know the details of every e-mail we send, every website we visit and every chat room we enter - and even though we know they will pass this information on to the police if asked.
We trust the search engines we use with information about our obsessions and interests, even though some, like Google, offer us toolbars and other programs that can track our every move on the web.
We trust our online banks, even though the username/password/PIN security they use can be broken, and the contracts we have signed with them leave us liable if accounts are broken into.
We trust the companies offering wireless internet access from cafes and airports, even though most of us do not secure our laptops properly and could be exposing all our personal details to hackers whenever we connect.
And we trust websites offering software to download, rarely checking digital signatures or even doing a cursory search to find out if the program is known to carry spyware, adware or any other form of malicious piggy-backer.
I spent an evening at a friend's house earlier this week clearing unwanted adware from her PC after her daughter had downloaded and installed a nice-looking game that was more than it seemed.
And my girlfriend wasted a work day doing the same for her own computer after something sneaked through her filters.
There is no single, simple, solution to this problem, and while technology can help it cannot do everything, and often simply creates new trade-offs.
If we had a mechanism to have digital signatures for all software so that we could be confident about its safety then we will also be giving somebody the power to say what programs are certified and opening up the possibility of software censorship.
If we have rigid data protection laws then we might limit innovation and new applications online. And if we introduce universal digital signature for proof of identity then we make it harder for those who have a need to be anonymous online.
The first step has to be greater awareness of the issues, so that we are at least asking the right questions.
The blithe assumption that we can simply trust what we find online, and have confidence in the companies that hold our private information on their servers, has got to be challenged.
So perhaps AOL's embarrassment can help us all in the long run by making us think about trust and who really deserves it.
Bill Thompson is a regular commentator on the BBC World Service programme Go Digital.