For the past couple years, people have been getting emails that claim to have caught the recipient doing something embarrassing or illegal. These messages are attempts at extortion and nothing more.
In one version, the email claims the potential victim’s computer webcam has been hacked, and that some private video footage was captured—something they would not want viewed by the general public. The message goes on to demand that the victim make a payment in bitcoin to the sender in order to avoid having the video distributed to everyone they know. This message contains an actual password once used by the recipient, cited as “proof” that the sender knows who they are and has access to their computer, contacts, webcam, and more.
The password used as evidence that the email is legitimate will be real. The recipient will have used this password at some website in the past. However, there has NOT been any webcam hack in this case.*
Here’s what DID happen: quite a few years ago, there was a data breach at some big website or other. I have received one of these messages, and as far as I can remember, the password they used dated back to 2009 or 2010. (Unfortunately, I do not remember which website it was used with.) Therefore, the database of email addresses matched with passwords being used in these attacks is quite old. I recognized it right away—it was from a time before I knew how to create strong passwords.
The people sending these messages are hoping you’ll recognize that password. They’re counting on it for the immediate fear reaction. However, they didn’t hack anything. They purchased an outdated database from a decade-old data breach and started sending emails.
However, while you’re deleting this message (and NOT sending bitcoin to anyone), there is still something to be learned. For one thing, if you’re still using the password from the message on any website, app or account, CHANGE IT NOW. For another, never reuse the same password for different accounts. You don’t want poor security at some message board you visit three times a month to be the reason someone was able to login to your credit card account. Once any website is breached, even one with not that many users or sensitive information, it is guaranteed the hackers will try your email/password combination at all the major financial sites, or use it to attempt extortion.
*Note: none of this is to say that the camera on a mobile phone, tablet or laptop computer can’t be hacked or compromised in some way, it’s just not what is happening with these particular emails. Remember the little hunk of tape you put over your laptop’s camera years ago? Still not a bad idea. Leave it on.