If you have gotten a message from someone who claims to have dirt on you — and shows off, as proof, a password you’ve previously used — here’s what happened.

NEW YORK: It’s that email message everyone gets — someone claiming to be a hacker who broke into your computer and used our webcam to watch you looking at adult websites. That part of the message always tips you off that this is a scam, but the subject line contained an old password that you’ve used before. And you’re worried: How did this person get that information?

These sorts of online extortion schemes — which try to guilt people into paying off hackers claiming to have compromising information — are nothing new. But a new wave of messages that began popping up in mid-July has stepped up the ploy by showing passwords in the subject headers as attention-grabbing “proof” that someone has deeply burrowed into your computer and has your personal information.

As for the inclusion of a real password, after years of database breaches from major sites and services like Yahoo, eBay, Sony PlayStation and dozens of other companies, varying amounts of people’s data are floating around the Internet, often for sale on the black market. That data is now being melded into traditional phishing scams.

According to the Krebs on Security blog, several recipients of this particular blackmail campaign observed that the password included in the message was old, some by about a decade, and not currently in use. For those who haven’t changed their passwords in years, the ruse could appear more realistic, and the hustle itself may become fine-tuned as the perpetrators weave in fresher bits of stolen user data.

A good security practice would be to constantly update your passwords frequently and adding the two-factor authentication to verify your identity beyond the password, by use of unique codes generated by text, authenticator apps or special USB keys plugged into the computer.

If you have a lot of passwords to wrangle, keep track of them in a secure password-manager program.

You can report phishing incidents on the FBI’s Internet Crime Complaint Center site.

By J.D. Biersdorfer © 2018 The New York Times



