Many companies are "needlessly exposing their customers to hacking, identity theft and government surveillance," a cybersecurity researcher wrote, and although a few are starting to make improvements, they are "invisible to the average user."

One area of concern is voicemail protection, Chirstopher Soghoian wrote in an op-ed at Ars Technica on Tuesday. There has been a lot of recent attention, after the News of the World voicemail-hacking scandal, around how easy it is to break into a mobile phone's voicemail account.

Many wireless carriers do not require a PIN for access to voicemail, relying instead on caller ID, which can be easily spoofed. Among U.S. carriers, Verizon Wireless requires a PIN and AT&T Inc. recently changed its policy to require new customers to set a PIN. But T-Mobile and Sprint still say a PIN is optional, so customers who do not proactively set one are still vulnerable to being hacked, Soghoian wrote.

It is also easy for hackers to access webmail accounts and other Internet services that use cloud storage, he wrote, in particular because a tool called Firesheep, released in October 2010, "made these attacks accessible to the point-and-click crowd."

Some providers offer encryption, but "these options are not turned on by default, nor have they been widely advertised to users," he wrote. "As a result, few consumers are currently protected from hijacking attacks" that can lead to the theft of their personal information.