SEATTLE -- Go online and you never know. Never know, that is, if something nasty is going to happen.

Consider one Web site that may have duped millions of people.

If prosecutors are right, this could be a major case of identity theft. The social networking site Tagged.com is being investigated by prosecutors in New York.

The allegation: it stole personal information from unsuspecting users, as well as people who never visited the site.

When TIME Magazine reporter Sean Gregory got an e-mail from a friend, saying she'd posted photos on Tagged.com, he logged on to see them.

But there were no pictures. Gregory says it was a ruse designed to steal his online address book.

"As soon as I clicked it, I got these emails from my wife and best friend saying, 'What the heck is this? Should i touch this? It made me so angry I wrote about it," he said.

The New York Attorney General's Office says Gregory was one of 60 million people allegedly duped by tagged.

The allegations involve a practice called "contact scraping," and security experts say it's a growing, invasive form of identity theft. Investigators say a Web site uses one person's e-mail address to lure his friends and associates into giving up their personal contacts.

"It's like breaking into someone's home, stealing their address book and sending letters to all of their friends and other contacts and loved ones and pretending to be them," said Benjamin Lawsky, special assistant to the New York Attorney General's Office.

Contacted by ABC News, Tagged.com issued a statement apologizing for any problems. The company says it is cooperating with the investigators.

The New York Times reports it has received similar complaints from people who use other social networking sites.

How would a company benefit from contact scraping? The Times says they are expanding their user base, which they can use to impress advertisers or attract investors.

How do you protect yourself? Don't use the same user name and passwords on different sites. And don't give your user name and password from one site to another site.

For more information:

Typing In an E-Mail Address, and Giving Up Your Friends' as Well