Extortion scams that know one of your passwords

We’ve seen a few reports recently of customers receiving messages that begin something like this:

I’m going to cut to the chase. I am aware [redacted] is your pass word. More to the point, I know your secret and I’ve evidence of your secret. You don’t know me personally and no one paid me to examine you.

The message then goes on to demand money in order to not reveal your “secret”.

These are a scam; you should ignore them. The mail is sent in bulk by spammers to millions of people, just like any other spam, and they know nothing about you beyond your email address and a password they stole from another site. Our filters block most of these, but unfortunately no filter can block all spam messages (the spammers are constantly changing them to get around the blocking).

You can find more information on sites like Sophos and Krebs on Security.

They used my own address to send the mail

If the message appears to come from your own address, that just means that they’ve forged, or “spoofed”, your address on a message they sent through another server. Forging an email address is easy: almost all spam uses forged addresses, and it doesn’t mean they have access to your mailbox. This page on our website explains more about forged addresses.

How do they know my password?

If the password it mentions is a real password you’ve used, they know it because they’ve stolen it from another service that had a security breach that exposed their users’ passwords and email addresses.

You can often check if this is the case by entering your email address into Have I Been Pwned?, a site that tracks breaches. You might see something like this, for example:

As you can see, someone stole all the LinkedIn users’ email addresses and passwords a few years ago, and those are available to spammers. The spammers simply send each address a message that includes the LinkedIn password, making it seem more legitimate.

To avoid problems from breaches like this, you should use a different password for each service (and change any passwords that match the one the spammer sent you, although you don’t need to change other, different passwords). If you use a different password for reading email, for example, it doesn’t matter if hackers steal the password you use on LinkedIn. The Have I Been Pwned? site has more tips.

Don’t let them fool you

This scam is clever. The hackers know only two things about you (your email address and a password you used somewhere), but they try to use those to make you think they know more than that. It’s easy for hackers to steal an email address and password from somewhere else, but that doesn’t mean they have access to your email, or your webcam, or anything like that. Don’t let them trick you into thinking it does.