There is a terrifying new email scam doing the rounds. The trick is the inclusion of your email address and your password in the subject. Generally, these emails will demand payment on the threat of release of a video captured from your webcam. They have a common theme similar to this example.
RE: email@example.com your password is monkey123
I have hacked your PC and used this information to make a split screen video of you visiting an adult website. The video includes you recorded from your webcam, as well as the video you were watching. You have good taste.
Pay my ransom via BITCOIN or I will email this to your friends and employer within 48 hours. I have a tracked pixel in this email and I know it’s been read.
How does this happen?
Unfortunately, large-scale data breaches are a regular occurrence. Most of these make the news and are very well known. However, they are commonly reported well after the fact and can include email addresses, passwords, names, addresses, credit card details and more. Any time you sign up for a service, you are trusting a company not to lose control of your data. Here are a few of the biggest breaches to date, but there are hundreds of breaches known. The list gets bigger every month.
|Yahoo||3 Billion Users||2013|
|Yahoo||500 Million Users||2014|
|Marriot/Starwood Hotels||500 Million Users||2018|
|FriendFinder||412 Million Users||2016|
|MySpace||360 Million Users*||2016*|
|Equifax||143 Million Users||2016|
|50 Million Users||2018|
*suspected[source: https://en.wikipedia.org/wiki/List_of_data_breaches ]
When a database is breached, it’s commonly sold to groups who use this information to log in and take over those accounts, as well as prepare extortion and scam emails. The urgent nature of their wording is designed to make a user pay the extortion figure without first thinking about what’s really going on.
What should I do?
DON’T PAY THE RANSOM.
Generally, these emails are sent from an automated source, and all a reply does is confirm to a hacker’s database that an email address is a “live one”. Replies will just open you up to more of the same types of email.
CHANGE YOUR PASSWORD.
These details are recovered from data breaches that may have occurred years ago. There is a good chance that the password exposed is an older password that you’re currently not using for any login at this time. However, if you’re still using that password, change it immediately.
USE UNIQUE PASSWORDS FOR EVERY ACCOUNT.
Good password security begins with NEVER reusing passwords. Having unique passwords means that the breach of one database will NOT affect any other. Google Chrome allows the creation of unique, long and strong passwords by simply right-clicking in the password field.
CONSIDER A PASSWORD MANAGER.
Dedicated password software such as LastPass offers a cross-platform solution to manage different passwords for each account. Google Chrome [signed in with your Google account] can do a similar job, by using the right-click function to create a long, strong, saved password. Just make sure you have a very strong Google password [as it’s the master one you’ll need to remember] as well as 2FA [two-factor authentication] turned on.
COVER YOUR WEBCAM.
A small piece of black electrical tape covering a webcam is a good idea if you never use it, but can be inconvenient for regular video call users. Some laptops and desktops now include built-in covers that slide over the lens when it’s not in use.
CHECK YOUR EMAIL ADDRESS.
The Have I Been Pwned service will show you what, if any, breaches your data may have been included in. For users that have had an email address for a couple of years or more, expect it to be included. Let it serve as a reminder to update and use unique passwords on every website. Take a look at https://haveibeenpwned.com/
This type of email is not a pleasant experience. However, you can ignore empty threats with good password management.