This is an unusual topic, but it touches upon so many of us that I had to ask: have you received one of those threatening emails that claim to have hacked your computer and/or camera and recorded you pleasing yourself? They then ask for a large amount of money paid in the form of Bitcoins, in exchange for a vague promise that they won’t share the videos with your friends (as they also claim to have access to your emails and contact lists).
If so, you’re hardly alone. And, if it’s any consolation, the chances of anyone having hacked into your computer are about the same as you winning the lottery, in which case go ahead and pay to make a hacker’s day.
The Good News
First of all, no, there is no compromising video. Personally, I’ve been receiving probably a dozen of these emails each week for the past couple of months. Having no camera connected to my computer (I use a desktop) and being unable to remember the last time I watched porn (as anyone with a 3-year-old will tell you, you barely have enough energy left at the end of the day to crawl into bed, let alone watch porn), I laughed it off right away.
Except, they had a password–a genuine password of mine, albeit an older one. Even though I was no longer using it, it still made me wonder: how did they come into its possession?
The MEGA Release
What happens in these cases is that someone has, indeed, hacked a computer. Just not yours. Both Dropbox and LinkedIn were hacked in 2012. As Gizmodo reports, the breach was first reported by Troy Hunt, the security researcher who runs the site Have I Been Pwned (HIBP), where you can check if your email has been compromised in a data breach.
In his blog, Hunt says a large file of 12,000 separate files and 87GB of data had been uploaded to MEGA, a popular cloud service. The data, which seems to be a couple of years old, was then posted to a popular hacking forum and appears to be an amalgamation of over 2,000 databases.
Websites storing passwords usually encrypt them. That way, even if someone breaks into their database, all they can see is a series of random characters where the passwords should be. The troubling thing with the MEGA release is it contains “dehashed” passwords, which means they have been decrypted, thus fully exposing the passwords (this is probably why the release contains older passwords: it probably took the hackers this long to decrypt them).
In simple terms, this means that your combination of email and password is out there. And it’s ridiculously easy for a miscreant to email you, using your password as “proof” they have hacked your computer.
Except, they haven’t. Even when they spoof your email address to “prove” that they are in control of your computer, this is just a smokescreen. What they have done is copy thousands of passwords and the corresponding email addresses from the breached emails. It’s then pretty easy to send each email address a copy of the same threatening email, throwing your password into the mix in order to throw you off.
What To Do
The first thing you can do is check Have I Been Pwned. If your email/password combination has been hacked, it will tell you which sites it was hacked on. And it’s not just the smaller websites that have been hacked. I found my Istomedia emails had been hacked on Adobe, Dropbox, Kickstarter, and LinkedIn! As for my Pearseus one, it was hacked from Bitly.
So, the second thing to do is, go and change it on all of these sites (if you haven’t already done so). Remember, this database was from 2012, so chances are you will have changed your password anyway. If not, now is a good time to do so.
Third, instead of using the same password everywhere, consider using a password manager. For the past few years, I have been using a password manager called LastPass to, well, manage my passwords. It works on a fremium model: basic services are free, premium ones are just $2/month. Even the basic service covers pretty much an average user needs, so I recommend it, as it makes life so much easier. It generates a hard-to-crack password every time you need one, then remembers it so you don’t have to: all you have to remember is the password to LastPass itself.
And, in case you’re wondering, Pwn is a slang term derived from the verb own, meaning to appropriate or to conquer to gain ownership. The term implies domination or humiliation of a rival, used primarily in the Internet-based video game culture to taunt an opponent who has just been soundly defeated. So, just follow the 3 simple steps listed above and be safe!
Thanks for the tip about the password manager. I find the whole business of passwords pretty unmanageable, so LastPass will be really helpful for me!
I’ll let you know if I can find a better way of handling this!
Super helpful, Nicholas. Thanks!
I hope you never need it but you’re welcome 🙂
Thanks for this info, Nicholas, and yes, it’s happened to me, as well. 🙁
So sorry to hear that. At least now you know you don’t need to worry about anyone having hacked your computer 🙂
Thank you, Nicholas, for bringing this issue to our attention and for your advice. I’ve also received these e-mails which I had my IT expert check out. It is disconcerting to receive these e-mails because my website was actually hacked in August 2018. I had to pay an expert to rebuild the website and to retrieve my archived blogs. Further, I bought a new Mac, hoping it was more secure. I didn’t realize that Adobe, which I used in my consulting, had a major security breach. It’s hard enough being an author without having to deal with this.
Yikes! You’re absolutely right; as if writing life wasn’t hard enough without such nonsense…
I can say that I’ve never had this issue. I also use LastPass as Kim Komando recommended it so I checked into quite some time back.
I’m so glad to hear that you’ve never had to deal with this sort of nonsense 🙂
I’ve received these emails for months. Each time, I report them as a phishing scam, but they keep coming and coming. The language used in some of the emails crack me up. They’re clearly written for men. Many of the terms are physically impossible for women. 🙂
I keep my camera covered at all times and I’ve never visited an online porn site, but imagine the folks who have? They must really panic when one of these emails drops into their inbox.
I just went to the website you mentioned. Oddly enough, my professional email wasn’t pwned, which is weird since that’s the one the hackers use. Instead, it’s my personal email. Somewhere along the line the hackers found an old password for my professional email and attached to my personal, which has indeed been pwned. Apparently, Adobe had a major security breach back in 2013. I don’t even remember opening an Adobe account, nor do I recognize the other site they mentioned. It looks like a mortgage site, which is frightening, considering we bought our house last year. We didn’t use the company listed (unless they’re a sister company of another lender) but the date aligns with when I received the first email.
May I suggest you use a scammer as one of your characters? Ideally, one that meets with a particularly gruesome death? 😉
I also have no camera attached to my desktop computer. Unlike you, I have never had one of those emails, and would have been quite distressed to receive one, I’m sure. Thanks for this valuable advice, Nicholas. I will bookmark it, just in case! 🙂
Best wishes, Pete.
Some lazy bums don’t even bother to include your password (most likely because they don’t have it). They just claim to and threaten you all the same. Sigh… another day, another scam.