> I am well aware [old password I think I swapped out everywhere, but definitely in all important places, when I started to use random keepass pws two years ago] is your pass words. Lets get straight to the point. None has compensated me to check about you. You don't know me and you're most likely wondering why you are getting this e-mail?
He continues to tell me my computer was hacked using that password, he downloaded my contacts, recorded me watching porn and now threatens me to send that video to all my contacts. Of course unless I send him bitcoins for about $1000 to 1EiJMyvw2NP6T6vyWQ81HgUfBUVT1mqZkM
I got multiple of these emails in my spam folder since December. The password comes most likely from the Heroes of Newerth leak back in 2014!
It's obviously a scam no one should respond to, but I'm sure there is a large enough number of people that get intimidated enough and are actually buying and sending bitcoins. This is a real threat these collections create. To be honest I feel uneasy about this email though I'm 100% sure this password is not used for anything important since about two years ago. I can't imagine how someone with a current password and no security/compsci knowledge at all would feel.
I unfortunately deleted all but the last of this emails, so I wonder if he reuses the same bitcoin address and it can be easily blacklisted by authorities. If he is smart he generates a different address for every single email.
This would be a nightmare for basically anyone.
Boy do those nervous ticks appear obvious at 2x. By the end you just want to scream out to yourself “stop touching your ear!”.
Edit: We each brought in our own VHS tape (this was 2010-2011) on presentation day and https://www.svcc.edu/employees/directory/pa-fulfs/index.html would swap them in/out for each speech. Good memories... :)
I've had 3 web clients contact me that received these. One called the local police, and an IT guy, two bought new computers, and one I never hard back from.
The bitcoin address is different: 1ELzee2T9Wd5YPTYhWbWD3xK7xB5tJ94J4
Looks like the scam worked a couple times so far:
So I can confirm that scammers seem to leverage password dumps that way. It's quite clever I suppose, if I used the same password everywhere (as many people seem to do) I'd definitely be worried.
(oh, and also myspace, some identities are just meant to be stolen I guess...)
Makes me think I need a better strategy on the username side to not leak that info.
- if they start sending you spam you can severe their capacity to contact you by deleting the alias
- if they give your contact to a third party, you know from the alias who leaked your email address
- if you see an email on a data breach like this one, you know immediately which website got hacked
- it makes it really hard to correlate your identity across two websites
Even if the dictionary and patterns are known by an attacker, this still has very good entropy on ~16 characters long sentences. For usernames you can easily just go down to the minimum (around 6-10).
I find this superior to random values in a lot of places as it's easily readable and it's also easily typeable, when copy-paste doesn't work.
How does that follow? It still adds value to use aliases that identify the site where they're used, because then you don't need to do a hashtable lookup to see where your mail is coming from.
What I and many others do is reuse not a password, but reuse a password formula (in my case with slight but easily memorable variations depending on importance, or if forced by stupid password rules). If you saw a dozen of my email/password combinations in the clear you would be able to reverse engineer the rules and then guess combinations for arbitrary sites almost as good as me. It's a calculated risk, just like trusting a password manager is a calculated risk. Right now I consider password managers the better trade-off, but still only slightly better, by a margin small enough to make it not worthwhile to invest in a habit change. If the "formula" I happen to use was just a little harder to reverse engineer than it sadly is I would consider it strictly safer than password managers.
What a damning position to be in, in 2019.
As with other scams that can be initiated at scale, you don't need a 50% conversion rate. 0.01% probably suits just fine.
As an embellishment by the trolls, it would probably move any authority figures from a position of "let's figure out who got this dumb kid mixed up in these terrible things" to stony indifference and something closer to "serves him right." It also alienates him from his family so he has nobody in his corner any more.
Consider your own reaction as a viewer. Think about the other person who was involved in the last task of the episode. Did you feel any sympathy for him?
I remember specifically thinking "well, embarrassing sure, but everybody does it, oh well"
Why rob a bank just for some embarrassment?
Interestingly, the dollar amount of the attempted extortion has gone up more or less monotonically throughout; the first ones I got were looking for something like $200.
Buying bitcoin is actually pretty easy and they help you figure it out in the email as I already commented here https://news.ycombinator.com/item?id=18939713
> Some players in the booming underworld employ graphic artists, call centers and technical support to streamline payment and data recovery, according to security firms that advise businesses on hacking threats.
I find it difficult to reconcile someone tech savey enough to use bitcoin falling for a scam of this nature.
On the otherhand, it might explain a lot about the crypto space!
> You will make the payment by Bitcoin (if you do not know this, search 'how to buy bitcoin' in Google).
The top result is from coinbase . I would say everyone capable of online banking is capable of following these steps.
It’s as easy to assume that a world in which crypto is a trusted, common method of value transfer benefits them if they’re a leader in that space.
1) I don't think it's one person, I've received multiple of these with different wording. At the least I think there are a bunch of copycats out there.
2) I received an initial batch of six to a few different mail addresses, and across about six different emails there was one bitcoin address used in four of them. I took a look on blockchain.info and a couple of payments of about the asked amount had gone through it in the previous few days.
What bugs me is that this is actual, criminal extortion on a large scale. Where are law enforcement?
It's clear that someone has made a business model out of this, and it doesn't matter what the password is actually from. For people that don't use unique passwords, they can't say if there is anything behind the threat.
Remember to always use unique passwords for every site!
They all talk about having access to my computer, a recording of me watching porn, and threaten to send it to my contacts unless I send 700-850 USD to a Bitcoin address. The payment amounts and Bitcoin address is different in each of the emails.
The subject of the email was a previous password I've used and they sent it "from my domain" (not really my domain, you know how it is).
Interestingly, I also did play heroes of newerth so I guess that you're right on that notion.
Another fun fact, each time my password was mentioned, it was missing the first letter.
I get an old password in these kinds of emails that has been stripped of case, the capitalization I used is not what what I received. Still, the first was was attention grabbing, even if I've long moved on from that password to a password manager with a randomly generated password for each site.