For years people have been getting their online accounts compromised due to phishing as well as via brute force attacks due to poorly chosen passwords. We also know that people tend to share the same credentials across multiple sites however I haven't seen any concrete research/metrics on how commonplace this is or the depth of information an attacker can gather using this approach. The difficulty with this type of research is that the only way you can tell is
A. You're testing each of these sites, each being its own felony and highly illegal.
B. You're an owner of one of these sites working with the others to correlate this in a safe non privacy infringing manner.
Does anyone know of anybody doing something like this or a published report?