How did this extortionist get my (possibly) password?

Factual Questions
1

On Oct. 1 I received an email that went to my Outlook Junk folder. I was reviewing the folder today and ran across it. The subject line was

Your password is <password>

where <password> represents a password that is one that I think I have used in the past but do not believe is on a currently active account. But it was definitely not one this guy just came up with at random.

The rest of the email is nonsense. I would not have given it a moment’s thought except for the password. Obviously I didn’t pay and nothing happened, but where did this guy get a password that I may have used for something at some point, associated with my work email address?

A couple of days before that I got one with the same scam, but different wording. This time they spoofed my email address to “prove” that they had control of my email account. They also included a password, one very similar but not identical to any I have used. But, again, it does not look like they got it by guessing.

2

Existing thread.

Basically, they got your password from some big data breaches years ago.

3

There’s a part of me that kind of admires the cleverness, here. What can you do with a hijacked LinkedIn password that’ll be profitable? Not much… unless you can use it to convince a mark that you have something much more valuable.

4

There are different ways for a website to store your password:

  1. Store it in clear text
  2. Store it with a trivial modification
  3. Store it with a complex modification

If hackers steal the user database for the website, they have access to the same password information. If the password is in clear text or is encrypted in a way that it can be figured out, hackers can figure out your password for that website. In addition, they likely have all the other user details you registered with, like your email address. So now they can send you spam with your password that you recognize.

This is also why it’s so dangerous to use the same password everywhere. If the hackers figure out your password from some benign website, they can then try to log in on other sites with your email/pw combination. So they’ll go to amazon, gmail, all the banking websites, investment websites, etc. If you use the same password everywhere, they’ll be able to log into all those accounts.

5

Thanks, makes sense.

6

Fortunately most of the main sites recognize when an attempt is made from an unknown browser and will text you an additional code to enter before they allow access. That is apparently not as secure as it once was, but it’s far better than nothing.

7

I hope it goes without saying that the second paragraph of the email is all lies. They have no video. Just ignore it. I’ve gotten several of these.

8

Minimal embarrassment aside, it’s not really worth $5K for me to avoid having contacts know that I watch spaniel puppy videos on Facebook. :o:smack:

9

Is there any such thing as a “special pixel” which can function to let the sender know that an e-mail has been read?

10

Yes, but it requires your email reader to display images. Many email programs do not show images by default for just this reason. The email reader just shows you the text, which doesn’t require any outside connections. But if you allow it to load images, then it will download any images configured in the email. To track you, spammers will put 1 pixel images in the email with unique names for each email. If the image server gets a request for that image with the unique name, they know the email was read (or at least the image was requested).

11

Interesting. Sounds like a good reason to set my browser to not download images.

12

No.
This email we are talking about, not the web. Websites already know that you have visited.

13

Well, we know that somebody watches Black Mirror.

14

May I recommend haveibeenpwned.com.

This site is run by cybersecurity researcher and expert Troy Hunt. If you register with your email address, he will email you whenever a new data breach is discovered in the wild with your email in it. It will also show you existing breaches that you’re email was in, and (I think) the password associated with that breach if it’s known.

You can use this to go change your passwords when data is released.

And of course you’re using separate passwords for every service, right? So that when one site is breached none of your other passwords are in jeopardy.

ETA: I mistakenly claimed Brian Krebs ran this site. Oops. Messing up my email/password/security researchers.

15

Of course.

16

All they know for sure is that an email client downloaded the images, which can happen without a human ever opening the email. I think it may be used more often to validate that an email address is live then to determine if someone read it. There is no sure-fire way to know someone read your email. (A company I worked for also used this trick on our web pages for a third-party analytics firm to track traffic to our site.)

17

Hope you use that password on multiple sites

18

I am still getting these. Is there a way to deposit $0.01 into the Bitcoin account?

19

As Grand Moff Tarkin once said: “You’re far too trusting.”

You really think that these emails will stop if you send them money? If anything, they are likely to multiply beyond measure if you “bite.”

20

Is the Bitcoin account the same in all the emails? But I suppose with Bitcoin, it doesn’t really matter as accounts can be created at will.

One possibility is that the database with your info is making its way through the hacker community. Different hackers could be sending out the same email to all the same people. There are likely automated scripts that will do all the work for the hacker. All the hacker has to do is point the script at the database and give it the Bitcoin account to insert into the email. So you shouldn’t assume that it’s just one hacker sending these emails and you just need to pay off that one hacker. Even if he went away, there are lots more who will be doing the same thing.