Have I Been Pwned

I recently had a friend contact me about a disturbing email they’d received. The writer of the email purported to have compromised my friend’s account. That they had access to their computer, their email, and their webcam. And that they had compromising photos and video of them using their computer’s webcam. They claimed that should my friend not send them money they would send the photos and videos to all of my friend’s contacts.

This, as you might imagine, was quite disconcerting. The blackmailer included a piece of information which for my friend, clinched the fact that what they said was true: a password that no one could have known.

To me, the most surprising thing about this email was that it didn’t end up in their spam folder. Literally millions of these types of emails went out in the last year (according to Symantec they blocked 300 million of them this year before June) and they almost always included a piece of personal information like a password, username, or phone number that the receiver will recognize as unique to them.

What the recipient doesn’t know is that their personal data was compromised, but not by the blackmailer. There have been dozens of significant data compromises for large scale websites. See if you’ve ever used any of these websites: Marriott International, LinkedIn, Adobe, eBay, Uber, Sony, Dropbox, or Yahoo. That’s a short list. The actual list of compromised sites is much, much larger.

If you have almost any presence on the internet it’s almost certain that your username and password for some site has been compromised. Want to see? There’s a fun site called https://haveibeenpwned.com where you can put in your email address and find out which sites your data was compromised on. I’m pretty lucky. I only showed up in five.

Long-time readers of this column have read my repeated refrain to use a unique password on every site. It’s probable that a tiny fraction of you take that advice. The rest of you will discover that once your username and password was lifted from one site, it was searched for on hundreds of other sites. Hackers have very good tools to do this all automagically for them so it happens in minutes at the stroke of a key.

Once a hacker or hacking group has your information it gets packaged up with many other compromised users’ information and sold to the groups which send out the blackmail emails.

The blackmail varies. Sometimes it’s about revealing your person, or your browsing habits (think porn sites), or sometimes they pretend to be law enforcement and claim to have found child pornography on your computer.

They almost always include some why to pay in digital currency and typically the amount is not great. Somewhere between $500 and $2000 is typical. An amount most people could pay if they had to.

They usually tell you some story of how you came to be compromised and include “proof” such as a password or perhaps just a URL where you can view the proof.

It’s quite common to have a JPG/PNG/GIF image attached which has the bitcoin, litecoin, etc. digital currency address.

If you receive one of these mark it as spam. Don’t click on any links. Don’t do what the email asks you to do. If you feel threatened in any way contact the police immediately. Blackmail is a criminal matter, not a computer matter, so if you think it’s serious treat it seriously.

In my friend’s case, I advised her to ignore it and make sure she’s using unique passwords on all the sites she logs into. Look at my column on KeePass if you need some guidance. And finally, change your important passwords semi-regularly.