Email scam uses old passwords and fake threats about your porn habits to collect bitcoin

USA

• Did you recently receive an email with one of your
  old passwords in the subject line, asking for bitcoin?
• It’s a new kind of scam. 
• The attacker probably took your password from of a
  publicly available database of old leaked passwords and email
  addresses. 
• Here’s how to keep yourself safe. 

---

There’s a new scam going around that would terrify most people if
it ever landed in their inbox.

The emails are slightly different depending on who’s being
attacked, but they all have a few similar features:

• They include a password that you probably have used at some
  point in the subject line.
• The email’s sender says they have used that password to hack
  your computer, install malware, and record video of you through
  your webcam.
• They say they will reveal your adult website habits and send
  video of you to your contacts unless you send them bitcoin,
  usually in the amount of $1,200 or $1,600. 

Here’s one example of these scam emails, sent in the last
month: 

Business
Insider

Ian Kar, a New
York-based product manager who was sent the scammy email, said
that after he received this threat, he spent an entire day
changing all of his passwords and buying 1Password, a password
manager.

He said he was pretty sure his password was included in one of
the big leaks from the past few years — databases have been
stolen from LinkedIn, Yahoo, and Ebay, for example. You can check
if your password is in one of these leaked databases over at the
website Have I Been
Pwned.

Basically, the attackers don’t actually have video of you, or
access to your contacts, and they haven’t been able to install
malicious code on your computer. In reality, they’re taking a
password from a database that’s available online, sending it to
you, and hoping you’re scared enough to believe their story and
send them bitcoin. 

Some of the scammers have even made over $50,000 from the
blackmail scheme, based on an analysis of bitcoin
wallets, Bleeping
Computer reported. 

As leading security journalist Brian Krebs
writes, this scam is probably automated, which means you
haven’t been specifically targeted: 

“It is likely that this improved sextortion attempt is at least
semi-automated: My guess is that the perpetrator has created some
kind of script that draws directly from the usernames and
passwords from a given data breach at a popular Web site that
happened more than a decade ago, and that every victim who had
their password compromised as part of that breach is getting this
same email at the address used to sign up at that hacked Web
site.”

For now, the scammers seem to be using really old passwords —
maybe passwords you haven’t used in years. But as the scam
develops, there’s a good chance that it will evolve and may use
credentials from a fresh breach,
according to Krebs. 

Other good ideas to keep yourself safe: Use long
and strong passwords, use a
password manager to make sure each account has a unique
password, and
turn on two-factor authentication on your important
accounts. The FBI also recommends you turn off or cover any
web cameras when you’re not using them to prevent sex-based
extortion schemes, even if this kind of scam ends up being a
hollow threat.

And no matter what you do, don’t send bitcoin to the
scammers.