This is an unusual topic, but it touches upon so many of us that I had to ask: have you received one of those threatening emails that claim to have hacked your computer and/or camera and recorded you pleasing yourself? They then ask for a large amount of money paid in the form of Bitcoins, in exchange for a vague promise that they won’t share the videos with your friends (as they also claim to have access to your emails and contact lists).
If so, you’re hardly alone. And, if it’s any consolation, the chances of anyone having hacked into your computer are about the same as you winning the lottery, in which case go ahead and pay to make a hacker’s day.
The Good News
First of all, no, there is no compromising video. Personally, I’ve been receiving probably a dozen of these emails each week for the past couple of months. Having no camera connected to my computer (I use a desktop) and being unable to remember the last time I watched porn (as anyone with a 3-year-old will tell you, you barely have enough energy left at the end of the day to crawl into bed, let alone watch porn), I laughed it off right away.
Except, they had a password–a genuine password of mine, albeit an older one. Even though I was no longer using it, it still made me wonder: how did they come into its possession?
The MEGA Release
What happens in these cases is that someone has, indeed, hacked a computer. Just not yours. Both Dropbox and LinkedIn were hacked in 2012. As Gizmodo reports, the breach was first reported by Troy Hunt, the security researcher who runs the site Have I Been Pwned (HIBP), where you can check if your email has been compromised in a data breach.
In his blog, Hunt says a large file of 12,000 separate files and 87GB of data had been uploaded to MEGA, a popular cloud service. The data, which seems to be a couple of years old, was then posted to a popular hacking forum and appears to be an amalgamation of over 2,000 databases.
Websites storing passwords usually encrypt them. That way, even if someone breaks into their database, all they can see is a series of random characters where the passwords should be. The troubling thing with the MEGA release is it contains “dehashed” passwords, which means they have been decrypted, thus fully exposing the passwords (this is probably why the release contains older passwords: it probably took the hackers this long to decrypt them).
In simple terms, this means that your combination of email and password is out there. And it’s ridiculously easy for a miscreant to email you, using your password as “proof” they have hacked your computer.
Except, they haven’t. Even when they spoof your email address to “prove” that they are in control of your computer, this is just a smokescreen. What they have done is copy thousands of passwords and the corresponding email addresses from the breached emails. It’s then pretty easy to send each email address a copy of the same threatening email, throwing your password into the mix in order to throw you off.
What To Do
The first thing you can do is check Have I Been Pwned. If your email/password combination has been hacked, it will tell you which sites it was hacked on. And it’s not just the smaller websites that have been hacked. I found my Istomedia emails had been hacked on Adobe, Dropbox, Kickstarter, and LinkedIn! As for my Pearseus one, it was hacked from Bitly.
So, the second thing to do is, go and change it on all of these sites (if you haven’t already done so). Remember, this database was from 2012, so chances are you will have changed your password anyway. If not, now is a good time to do so.
Third, instead of using the same password everywhere, consider using a password manager. For the past few years, I have been using a password manager called LastPass to, well, manage my passwords. It works on a fremium model: basic services are free, premium ones are just $2/month. Even the basic service covers pretty much an average user needs, so I recommend it, as it makes life so much easier. It generates a hard-to-crack password every time you need one, then remembers it so you don’t have to: all you have to remember is the password to LastPass itself.
And, in case you’re wondering, Pwn is a slang term derived from the verb own, meaning to appropriate or to conquer to gain ownership. The term implies domination or humiliation of a rival, used primarily in the Internet-based video game culture to taunt an opponent who has just been soundly defeated. So, just follow the 3 simple steps listed above and be safe!