What to do about email threats containing leaked passwords?

Question

A few days ago I got an email from a hacker supposedly using an email of mine (he was using the same email address TO and FROM) from my own email domain, and had a part of a password I use to purchase items with this particular email but not the one associated with the email server at HostGator, and threatening me with bogus claims and demanding a ransom.

I used haveibeenpwned and resulted in 7 sites (i.e. Linkedin hacks) and 1 paste. I read your sites answers and Troy's info but do not understand how to proceed. I am a small biz man and not a coder.

Was the password fragment one of the ones on haveibeenpwned? — schroeder, Oct 04 '18 at 15:51
Something like described in Sextortion Scam Uses Recipient’s Hacked Passwords? Got lot of these - you can safely ignore them, the hacker has nothing what he claimed - only an old password from you stolen on some hacked site. — Steffen Ullrich, Oct 04 '18 at 15:52
change your passwords if you've reused the ones in the accounts that are listed in haveibeenpwnd. After that, like ThoriumBR suggests, he's probably just scamming you. — xorist, Oct 04 '18 at 16:20
thx so very much! its a pw from a hacked linkedin breach I think — Marc, Oct 10 '18 at 16:16
Possible duplicate of What (besides not complying, and reporting) should I do with blackmail emails? — Tom K., Oct 17 '18 at 13:14
Don't look for the password in haveibeenpwned, look for your email, this way you will see which leaked service was used. — Goufalite, Jan 10 '19 at 10:31
@Marc Is there anything missing from my answer that you'd like to see added? — forest, Mar 29 '19 at 23:59

forest · Answer 1 · 2022-03-21T01:31:19.630

58

This is a known scam. The scammers look up emails and cracked passwords in public leaks of site databases and then send an extortion email to people. The password is already out in the open, sorry. You should change the passwords on all sites using that password. On the up-side, this does mean that the person who is emailing you is not actually a hacker and they have not infected your computer.

You should use a password manager to prevent this from being an issue in the future.

edited Mar 21 '22 at 01:31

answered Jan 10 '19 at 08:30

forest

66,706
20
212
270

I've been concidering the use of a password manager but I kind of live on a budget. This is a different question but is free password manager worthwisy? – Guillaume Beauvois Jan 10 '19 at 08:39
16

@GuillaumeBeauvois One free password manager, KeePass, is often considered the best. – forest Jan 10 '19 at 08:40
7

@GuillaumeBeauvois The free version of Lastpass is better than KeePass. I have been using both for 3 years in my laptop and office environment. – I am the Most Stupid Person Jan 10 '19 at 09:50
5

@IamtheMostStupidPerson There was a post here recently that hinted that LastPass may actually be handling security reports really poorly. I forget where that post is, but it's sufficient to be weary of it. – forest Jan 10 '19 at 09:51
1

@GuillaumeBeauvois Try Bitwarden. It's free! – Syntax Error Jan 10 '19 at 10:09
6

@IamtheMostStupidPerson "better" in which sense? Easier to use, for sure, but surely not safer, since one is cloud-based and the other is not. – Federico Poloni Jan 10 '19 at 11:12
2

Just to add to that EFF also have an article on the scam – VLAZ Jan 10 '19 at 12:12
1

@FedericoPoloni That argument can also go both ways, a cloud based version might be safer w.r.t. loss, i.e. deletion of password, a non-cloud based version might be better in protecting password theft wrt to broad attacks against many targets (i.e. the cloud provider itself). And then again a non-cloud based version might be less safe against targeted theft of the complete password file of OP. That being said, I'd assume both safe enough for use of the everyday lay person that re-uses the same password on multiple accounts (at least for such accounts it likely is safer than the current way). – Frank Hopkins Jan 10 '19 at 12:25
If you're going to suggest to OP changing their password (which is good advice) and to use a password manager (which is good advice), why oh why don't you go that extra step and tell them to make passwords unique? OP even admits that this is "a password [they] use sometimes" -- note the plural. – user Jan 10 '19 at 12:50
@aCVn That's why I specify that they should use a password manager. – forest Jan 10 '19 at 12:50
1

Using a password manager doesn't guarantee that passwords are unique. Using random passwords can go a decent part of the way toward ensuring passwords are unique, and a password manager makes that easier, but there's no requirement to have unique passwords just because one uses a password manager. – user Jan 10 '19 at 12:51
@aCVn Most password managers are able to generate a per-site password. – forest Jan 10 '19 at 12:53
1

@FedericoPoloni: re: "one is cloud based and the other one is not". It is true when you use it on a single computer. if you share the DB in any way - it is cloud based. It can be Dropbox, or your own NAS. It can be reencrypted by you with 2FA, or not. It all depends on how well you will do vs. how well Lastpass does. For the vast majority of people, they will not do it right. I am not trying to downplay Lastpass issues - just mention that the risk context is different for different people. – WoJ Jan 10 '19 at 13:12
@forest that's absolutely true. But, just because a pwd manager makes it easy to create a strong, unique, random, per-site password, doesn't mean that someone will do so without a strong recommendation to do so. – FreeMan Jan 10 '19 at 13:12

score 11 · Answer 2 · answered Oct 04 '18 at 15:48

11

This is a scam attempt. Don't worry. Your password probably leaked somewhere (and you don't have different passwords for each service) and he is just trying to make you pay.

And forging the From: header on an email is as easy as writing a letter to someone writing a different sender name on the envelope.

answered Oct 04 '18 at 15:48

ThoriumBR

53,925
13
135
152

7

Good answer! I'd add that he should change his password wherever he used the leaked one. – Anders Oct 05 '18 at 09:08

score 1 · Answer 3 · answered Oct 05 '18 at 00:38

Especially last week I came across the similar phishing attack with different versions both for our clients and our employees. When I searched online I found these sources: emailscams and sextortion.

Basically, they are using leaked passwords and sending scam emails asking a ransom to pay. It would be safe to ignore this kind of emails and change your passwords if they exist in leaked websites.

score -5 · Answer 4 · answered Jan 10 '19 at 08:32

-5

I will follow the next steps:

Don't pay to the guy, and don't respond to his emails
Change the password from another different machine, probably yours is infected with something.
Format your computer or install an AV to verify the existence of malware or key logger or other malicious activity.

Regards

answered Jan 10 '19 at 08:32

camp0

2,267
1
12
10

21

This is not correct. This is a well-known and popular scam. OP's computer is not infected. – forest Jan 10 '19 at 08:33
6

@forest At least this isn't proof of that, aside from that, one never knows for sure^^ – Frank Hopkins Jan 10 '19 at 12:26
2

@forest Agreeing with Darkwing here; why would you state something so factually when you don't know? Sure it's a well-known and popular scam, but you don't whether OP's computer is infected with something. – user1717828 Jan 10 '19 at 12:34
8

@user1717828 Obviously there's always a chance that someone is infected with something, but it would be completely unrelated to this incident and isn't even worth bringing up. – forest Jan 10 '19 at 12:44

What to do about email threats containing leaked passwords?

4 Answers4

Linked

Related