Hacker News new | past | comments | ask | show | jobs | submit login

Since a few weeks ago I receive spam emails threatening me with an old password I no longer use. I wonder if it's related to this collection. It starts with:

> I am well aware [old password I think I swapped out everywhere, but definitely in all important places, when I started to use random keepass pws two years ago] is your pass words. Lets get straight to the point. None has compensated me to check about you. You don't know me and you're most likely wondering why you are getting this e-mail?

He continues to tell me my computer was hacked using that password, he downloaded my contacts, recorded me watching porn and now threatens me to send that video to all my contacts. Of course unless I send him bitcoins for about $1000 to 1EiJMyvw2NP6T6vyWQ81HgUfBUVT1mqZkM

I got multiple of these emails in my spam folder since December. The password comes most likely from the Heroes of Newerth leak back in 2014!

It's obviously a scam no one should respond to, but I'm sure there is a large enough number of people that get intimidated enough and are actually buying and sending bitcoins. This is a real threat these collections create. To be honest I feel uneasy about this email though I'm 100% sure this password is not used for anything important since about two years ago. I can't imagine how someone with a current password and no security/compsci knowledge at all would feel.

I unfortunately deleted all but the last of this emails, so I wonder if he reuses the same bitcoin address and it can be easily blacklisted by authorities. If he is smart he generates a different address for every single email.

The best defense, just in case one of these cases turns out to be legit, is to send a video of myself watching porn to all my contacts preemptively. Take out their leverage, you know?

One benefit to this approach is that next time it happens you won’t have any contacts left, so you’re covered for the future.

Yea, a double video of you and what you are watching. Select the most degenerate stuff you ever watched.

This would be a nightmare for basically anyone.

This reminds me of the time I experimented with screen recording for self-analysis and productivity. It sometimes captured things I didn't want on video, but I forgot to turn off the recorder while I was deleting the footage. So I ended up with footage of me trying to cover up embarrassing footage.

Has anyone done this as part of a ‘presentation skills’ course? You record yourself giving your talk and then you play it back but sped up a little.

Boy do those nervous ticks appear obvious at 2x. By the end you just want to scream out to yourself “stop touching your ear!”.

This was a requirement in a Speech course I took during community college. Each of my speeches was recorded while I gave it to the class. After each one, I had to watch the recording and write a short paper that analyzed the physical presentation that I gave including my ticks/mannerisms/etc.

Edit: We each brought in our own VHS tape (this was 2010-2011) on presentation day and https://www.svcc.edu/employees/directory/pa-fulfs/index.html would swap them in/out for each speech. Good memories... :)

VHS tapes in 2010-2011?????

This was probably very embarrassing and I'm sorry, but I laughed really hard at the thought of this. Thanks for making a smile this morning.

Personal anecdote; having your most embarrassing moments broadcast widely is good at filtering out all but your real friends. You might even find out some folks are way more understanding than you ever expected.

Those "way more understanding people" are your real friends. Congratulations for locating them!

Ah, the Mark Zuckerberg model!

The most revealing thing in that video would be how bored I get from porn these days.

> It's obviously a scam no one should respond to, but I'm sure there is a large enough number of people that get intimidated enough and are actually buying and sending bitcoins

I've had 3 web clients contact me that received these. One called the local police, and an IT guy, two bought new computers, and one I never hard back from.

I just got one with nearly the same wording. "I am aware [old password] is your passphrases. Lets get directly to point..." sent from using the spoofed email address oo@r.com.

The bitcoin address is different: 1ELzee2T9Wd5YPTYhWbWD3xK7xB5tJ94J4

Looks like the scam worked a couple times so far: https://www.blockchain.com/btc/address/1ELzee2T9Wd5YPTYhWbWD...

I’ve checked into some of these wallets and some of the early ones (I started receiving these several months ago) had $10k-$16k worth in deposits. And then some have none.

Oh, interesting! I've never seen anyone running this scam reuse a wallet before.

Yep I got a different one too, 1GjZSJnpU4AfTS8vmre6rx7eQgeMUq8VYr

Interestingly this address has revived 3.5489BTC and transferred most of it to: 3NLSUFJxkkW26cZKTVLrcfBQhiN7eHBET3

Different too for me 1KeCBKUgQDyyMpaXhfpRi2qUvyrjcsT44o

Quick search turned up 5 unique wallets for me :\


I've been receiving similar emails for a long time (probably more than a year) with my old Linkedin account password that was part of the 2012 breach. I don't even have a LinkedIn account anymore and I know that I haven't used the password anywhere else since it was randomly generated for that website by my password manager.

So I can confirm that scammers seem to leverage password dumps that way. It's quite clever I suppose, if I used the same password everywhere (as many people seem to do) I'd definitely be worried.

Another data point: I get those to an email that was exclusively used on one insecure message board, but not only with the actual password that I had been using there, but also with a number of comically mangled variations thereof, and with some completely unrelated passwords (not mine). Apparently the data has been compiled from many different sources that went through various stages of bitrot from changing hands repeatedly, possibly with deliberate cutting to inflate numbers.

(oh, and also myspace, some identities are just meant to be stolen I guess...)

I received the same email to "myspace@" my domain. I wouldn't have used that email anywhere else..

Now we know where to try the associated password.

Makes me think I need a better strategy on the username side to not leak that info.

I tried it on MySpace and it didn't work. Nor could I figure out what did work or what my account even is/was. I suspect MySpace has removed inactive users, though, possibly due to issues like this.

Also it makes it easy to guess what other alias you would have used for another website. Short randomly generated hex is a much better solution.

If you're using a password manager to randomly generate long, secure passwords, the email address shouldn't matter much. The only potential issue would be social engineering to gain access to the account, but seeing how most people use the same email everywhere, I would think you'd have to a potential target for that to be of concern.

There are good reasons to provide unique aliases to companies requesting an email:

- if they start sending you spam you can severe their capacity to contact you by deleting the alias

- if they give your contact to a third party, you know from the alias who leaked your email address

- if you see an email on a data breach like this one, you know immediately which website got hacked

- it makes it really hard to correlate your identity across two websites

I don't disagree with providing unique emails to various services, I just don't think that _randomstring_@your-domain.com is better than myspace@your-domain.com than. I actually think it's worse, since it's more difficult to identify when an email is coming from the wrong place. If I get an email to myspace@domain.com and it's not from MySpace, I know right away. That's not as immediately obvious if I get an email to a random string.

Agreed. And it's so easy to set up when you have your own domain, I'm somewhat surprised not more people are doing it. Oh well.

It would be cool if there was something like this built into a password manager

There is, it will save off whichever username you use when you sign up eg facebook@domain.com - works well for me.

There is a pretty cool keepass plugin [1] that generates randomly generated readable passwords based on a dictionary with definitions of nouns, verbs and adjectives and multiple patterns to create short sentences.

Even if the dictionary and patterns are known by an attacker, this still has very good entropy on ~16 characters long sentences. For usernames you can easily just go down to the minimum (around 6-10).

I find this superior to random values in a lot of places as it's easily readable and it's also easily typeable, when copy-paste doesn't work.

[1] https://bitbucket.org/ligos/readablepassphrasegenerator/wiki...

Also available as a 1Password feature. It's inspired by the XKCD "correct horse battery staple" comic.

Self-plug: passhole is a keepass CLI password manager that has this feature built in.


But how will I guess my email when I do want to reconnect with my account? I see why obfuscation (well, anything to avoid predictability, up to that random hex) is advisable, but the convenience trade-off is real.

If you do that out of memory, you are most likely re-using passwords. Re-using passwords with an easily guessable login isn't a good combination.

> If you do that out of memory, you are most likely re-using passwords.

How does that follow? It still adds value to use aliases that identify the site where they're used, because then you don't need to do a hashtable lookup to see where your mail is coming from.

Re-using passwords with a unique login would indeed be stupid because it would not only be weak against attackers but also have terrible ergonomics: it's usually much easier to regain access after forgetting the password than to regain access after forgetting the login. Source: I often forget both of them.

What I and many others do is reuse not a password, but reuse a password formula (in my case with slight but easily memorable variations depending on importance, or if forced by stupid password rules). If you saw a dozen of my email/password combinations in the clear you would be able to reverse engineer the rules and then guess combinations for arbitrary sites almost as good as me. It's a calculated risk, just like trusting a password manager is a calculated risk. Right now I consider password managers the better trade-off, but still only slightly better, by a margin small enough to make it not worthwhile to invest in a habit change. If the "formula" I happen to use was just a little harder to reverse engineer than it sadly is I would consider it strictly safer than password managers.

If you're using a password manager you could generate a random local-part and store that too.

I've had the same one to nexus@ mydomain which I suspect I used when I was doing phone dev on a forum or manufacturers website. I'd love to know which site it was that leaked.

> recorded <..> watching porn

What a damning position to be in, in 2019.

Email a million addresses and you'll wind up hitting a few who've been browsing child porn, or something they'd find highly embarrassing if their parents/spouse/SO found out.

As with other scams that can be initiated at scale, you don't need a 50% conversion rate. 0.01% probably suits just fine.

A conversion rate of 0.01% on 700 million addresses and a ~$1000 demand makes you 70million dollar. That's a lot of money for just sending 700 million emails.

Probably a couple orders of magnitude high, too. One in ten thousand? I doubt that many make it through people's spam filters.

Unless it's a black mirror twist. Next thing you're following some trolls orders to kill people to conceal your dark secret

yea, umm.... that wasn't regular porn he was watching

Just watched this episode. I didn't take that "revelation" at the end to mean he actually did that. Saw it as just the final "lulz" move in the trolling.

As an embellishment by the trolls, it would probably move any authority figures from a position of "let's figure out who got this dumb kid mixed up in these terrible things" to stony indifference and something closer to "serves him right." It also alienates him from his family so he has nobody in his corner any more.

Consider your own reaction as a viewer. Think about the other person who was involved in the last task of the episode. Did you feel any sympathy for him?

You're saying he was just watching normal porn?

I remember specifically thinking "well, embarrassing sure, but everybody does it, oh well"

Why rob a bank just for some embarrassment?

I don't think he would have if the older guy with more at stake hadn't been there to pressure/manipulate him into it.

That's what I'm alluding to

I think among younger people watching porn is a given. It's ubiquitous, especially as production of pornographic media has exploded in the last decade. People post their nude selfies online for fun and seem to be fine. I've seen people I know post their photos on their personal Instagrams. At some point there must be diminishing returns for would-be blackmailers.

Right!? If some random unknown contact sends me a salacious video of one of my actual contacts, my one and only question is to the unknown contact asking why they're sending this to me.

"Yes, I'm aware he jerks it, we all do. Doesn't mean I want to watch him box the bishop."

They don't reuse wallets that I've ever seen, and I've been getting spates of these off and on for a few years now, since TVTropes (what? I had some time on my hands!) got owned.

Interestingly, the dollar amount of the attempted extortion has gone up more or less monotonically throughout; the first ones I got were looking for something like $200.

I think it's interesting that they're trying to get non-technical people who would fall for this kind of thing to buy bitcoins and then send them. Like the number of people who would believe this, have a thousand dollars on hand, and be able to buy and send bitcoins is probably tiny.

It's an optimization strategy for them between actually getting paid and not getting caught.

Buying bitcoin is actually pretty easy and they help you figure it out in the email as I already commented here https://news.ycombinator.com/item?id=18939713

Some of the ransomware scammers have actual customer service call centers set up. https://www.reuters.com/article/us-usa-cyber-ransomware-idUS...

> Some players in the booming underworld employ graphic artists, call centers and technical support to streamline payment and data recovery, according to security firms that advise businesses on hacking threats.

No surprise. Rule #1 in retail is "Make it easy for the customer to give you their money."

Market making at its finest! /s

I've received the same emails, for livejournal accounts. They seem to reuse bitcoin addresses. Bitcoin blockchain explorers show that the addresses are recently created, and that people have sent them money.

> Bitcoin blockchain explorers show that the addresses are recently created, and that people have sent them money.

I find it difficult to reconcile someone tech savey enough to use bitcoin falling for a scam of this nature.

On the otherhand, it might explain a lot about the crypto space!

The email contains:

> You will make the payment by Bi‌tco‌in (if you do not know this, search 'how to buy b‌itcoi‌n' in Google).

The top result is from coinbase [1]. I would say everyone capable of online banking is capable of following these steps.

[1] https://www.coinbase.com/buy-bitcoin

Wonder if it would be a good idea for coinbase to mention the possibility of you being scammed...

At a coffee shop on the campus of my nearby university there's a bitcoin machine with a piece of paper above it outlining bitcoin scams. Coinbase really should follow suit with the standard "The IRS, FBI, Jesus will never ask you to send them bitcoin..."

My local grocery store has a sign above the gift cards reminding people that government entities and utility companies will never ask for payment in gift cards. If they can manage a warning, I would hope Bitcoin sites could have a disclaimer somewhere...

And lose some sweet free money?

Why? They take a percentage out of everything you transfer, ofc they wouldn’t want to warn you.

That’s a very narrow and cynical view of their business.

It’s as easy to assume that a world in which crypto is a trusted, common method of value transfer benefits them if they’re a leader in that space.

> If he is smart he generates a different address for every single email.

1) I don't think it's one person, I've received multiple of these with different wording. At the least I think there are a bunch of copycats out there.

2) I received an initial batch of six to a few different mail addresses, and across about six different emails there was one bitcoin address used in four of them. I took a look on blockchain.info and a couple of payments of about the asked amount had gone through it in the previous few days.

What bugs me is that this is actual, criminal extortion on a large scale. Where are law enforcement?

I have received a few of these as well (all displaying the same password). Because I use a unique, random password for every site, it was just a matter of finding it my password manager. In my case, it was an old one from a forum breech several years ago (not in any way related to porn).

It's clear that someone has made a business model out of this, and it doesn't matter what the password is actually from. For people that don't use unique passwords, they can't say if there is anything behind the threat.

Remember to always use unique passwords for every site!

I had exactly the same. I ignored them, then, more interestingly, they started coming with the first character of the password missing, like a kind of digital entropy. Reminds me of the fantastic Alvin Lucier audio piece "I Am Sitting In A Room": https://en.wikipedia.org/wiki/I_Am_Sitting_in_a_Room

I received 6 of these emails from October through December. They're all similar, but contain slightly different subject and body text. They refer to the same password I haven't used in a decade, although at that time I used it on a number of services, so I'm unsure of the source.

They all talk about having access to my computer, a recording of me watching porn, and threaten to send it to my contacts unless I send 700-850 USD to a Bitcoin address. The payment amounts and Bitcoin address is different in each of the emails.

I had exactly that email. I can't remember where the password was from, but it seems to be in old format that I used to use maybe 10 years back, if not more.

I got this one as well.

The subject of the email was a previous password I've used and they sent it "from my domain" (not really my domain, you know how it is).

I've been getting what sounds like the same emails. They used an email address and password that I used only on monster.com back in the early 2000s.

I got a dozen of these mails all from different addresses, each with a different wallet address. I checked each wallet and no transactions were made to those either, so it doesn't seem so fruitful.

Interestingly, I also did play heroes of newerth so I guess that you're right on that notion.

Another fun fact, each time my password was mentioned, it was missing the first letter.

>Another fun fact, each time my password was mentioned, it was missing the first letter.

I get an old password in these kinds of emails that has been stripped of case, the capitalization I used is not what what I received. Still, the first was was attention grabbing, even if I've long moved on from that password to a password manager with a randomly generated password for each site.

I've received around a dozen of these, all with different bitcoin addresses. All of them came from a Linkedin breach a few years ago. (I know that because I use different email addresses and passwords on every site, and these all came to my Linkedin-associated address and claimed to have stolen my [unused for years] Linkedin password.)

I got tons of those too, mostly to test accounts. It’s hilarious how bad they are when they use my test names to address me.

I've gotten, and still get, these kinds of emails daily for months. Sometimes in groups of 3. The bitcoin address is not the same as the one you linked.


Yeah, I started getting those a few weeks back as well. The password is my old intranet password from my elementary school, funnily enough. I sent their admin an email about it, but I've heard nothing back so w/ev.

This is a new variant of the porn-blackmail scam, I've been receiving similar E-mails since 2017 after the Bitcoin fever. I guess the scammers have gotten their inspiration from watching Black Mirror since then.

How can the authorities blacklist a Bitcoin wallet address? Couldn't he just tumble the coins and spread them far and wide?

Had the same; scary thing is the unknown number of people who will just pay / take everything in that email seriously.

The bitcoin address is different :), mine is 1Mzpnco6nKkHTRNr9bhMa7JqGt7ABtqLBx and they ask for $943

There is a black mirror episode very similar to that blackmailing.

Oh. Been getting these for a while. So those are actual passwords I used. I was wondering how stupid the whole thing was telling people some random string is their old password.

All the ones I've had so far have been sent to throwaway addresses with the password "monkey", so I instantly know the info comes from site I don't care about, that I probably haven't used for years.

Definitely, the first one I got had me very worried as it actually got the password correct. And I can spot these kinds of fake emails instantly.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact