I recently received a startling email with a subject line that contained one of my passwords and appeared to have been sent by a hacker from my own computer (sender email address was my own work email address).
It was from a self-described "hacker" who wanted me to give him/her $976USD in Bitcoin or they'd email all my contacts some of the pornography that I'd allegedly been viewing along with a photo taken from my laptop web cam "enjoying myself". They explained in the email that they hacked a vulnerability in my router, gaining access to my my computer and sending me the threatening email from my own email address. They assured me that malware was installed that would capture any password changes I attempted.
My immediate thought was that this was a scam. I was positive that there could not possibly be such blackmail material in existence. Nevertheless I could feel my heart racing faster as I read through the email. My mind raced.
They have one of my passwords?!
I'm going to have to change every password on every email address I have, and on every web account I've ever created!
I'll have to spend hours trying to undo this hack!
In these hacks and data breaches, consumer data such as full names, addresses, phone numbers, and of course email addresses and login passwords of millions of people have been unleashed to the dark web. Some of these stolen databases are encrypted but nevertheless completely at the mercy of limitless automated brute-force attacks (a computer program relentlessly tries all possible password combinations until the file unlocks).
The password that was flaunted to me in the subject line was an old password that I'd used many times to log into various non-critical online accounts.
I sent off a quick support email to my email server support staff that included the email source code to get a second opinion. Better safe than sorry.
They replied promptly, letting me know that they've been getting A LOT of frantic inquiries recently regarding the very same email threats that I had just received. It was indeed a complete scam and completely related to the afore-mentioned data breaches (and others that we may not know about yet).
How the Scam Works
Scammers get ahold of these databases and extract your personal information. They then try to trick you into thinking they obtained it by hacking into your computer. Scammers can "spoof" the sender's email address to match your email address—making it seem as though the message was sent from your own "hacked" computer.
My server support staff gave me a handy link to a website that can cross-reference any email address with a database of known data breaches to see if it has been harvested. Sure enough, I entered in my work email address and it has been harvested in 7 known data breaches! Adobe.com, LinkedIn, LastFM, DropBox (Dropbox!?), Myspace.com and 2 other non-specific data breaches.
I was relieved that I had not been genuinely hacked directly, but more than a little disconcerted about my personal data dwelling aimlessly in the dark web.
So what do I do about it—change every single damn password for every single online account I can recall?
In short, yes.
This was a huge wake-up call screaming the genuine importance of changing passwords on a semi-regular basis.
Some of the data breaches are dormant for years before surfacing on the dark web. There are undoubtedly MANY data breaches that we are not yet aware of, and may not be for some time.
The best option for some may be password managers like Apple's iCloud Keychain, 1Password, LastPass and others. With some of these systems you'll never have to even know the password—it just saves them and autofills for you.
For others, the best option is a smart password system.
Check if your email address (and likely your password and other personal info) is lurking on the dark web by visiting https://haveibeenpwned.com.
It might be the scariest and most reality-smashing thing you do today, but you'll be glad you did.