Extortion scams that know one of your passwords

We’ve seen a few reports recently of customers receiving messages that begin something like this:

I’m going to cut to the chase. I am aware [redacted] is your pass word. More to the point, I know your secret and I’ve evidence of your secret. You don’t know me personally and no one paid me to examine you.

The message then goes on to demand money in order to not reveal your “secret”.

These are a scam; you should ignore them. The mail is sent in bulk by spammers to millions of people, just like any other spam, and they know nothing about you beyond your email address and a password they stole from another site. Our filters block most of these, but unfortunately no filter can block all spam messages (the spammers are constantly changing them to get around the blocking).

You can find more information on sites like Sophos and Krebs on Security.

How do they know my password?

If the password it mentions is a real password you’ve used, they know it because they’ve stolen it from another service that had a security breach that exposed their users’ passwords and email addresses.

You can check if this is the case by entering your email address into Have I Been Pwned?, a site that tracks breaches. You might see something like this, for example:

As you can see, someone stole all the LinkedIn users’ email addresses and passwords a few years ago, and those are available to spammers. The spammers simply send each address a message that includes the LinkedIn password, making it seem more legitimate.

To avoid problems from breaches like this, you should use a different password for each service (and change any passwords that match the one the spammer sent you, although you don’t need to change other, different passwords). If you use a different password for reading email, for example, it doesn’t matter if hackers steal the password you use on LinkedIn. The Have I Been Pwned? site has more tips.