Now combine the two. The type of attack Alex brought up, and some social engineering.
Your "secret question" used to recover a lost password is probably the weakest link if you use strong, unique passwords for each site. It's too easy for someone to find out what high school you went to, what your mother's maiden name is, what your father's middle name is, what your first dog's name was, etc. when you and your family are listed on social networks.
You never know when the latest person to "friend" you that you didn't quite recognize could be someone that wants to read your profile in order to learn more about you to steal your accounts this way.
The SitePoint podcast recently talked about this and suggested you make up answers. Create a fake persona that lives only in your head so that your security questions/answers can't be answered by someone that might know your profile.