I receive a number of email newsletters each day, but I thought this one was particularly useful, so have replicated it below. It is from Fortune magazine in their Cyber Saturday Edition:
Good morning, Cyber Saturday readers.
Several friends and professional contacts phoned me in a state of panic this summer. They said they had received emails from a shady entity claiming to have hacked their computer webcams while they were viewing adult websites. The interlopers threatened to send video clips of these folks doing—well, you can guess—to all of their contacts unless they paid a ransom.
Should they pay? Should they torch their electronics? How does one acquire $1,900 in Bitcoin?
Normally, one might ignore the demands of a random stranger making outrageous claims on the Internet. But these messages bore a troubling bit of information, something that instantly set their targets on edge. “I am aware, , is your pass word,” the notes began, accurately.
Imagine finding this in your inbox. Subject line: “ – .” Try not to snap to attention.
Here’s what I advised everyone to do. First, calm down; breathe. Second, check to see whether any accounts tied to that password appear in Have I Been Pwned, a searchable database that identifies what personal information of yours may have leaked as a result of various online breaches. If any accounts that once used that password pop up, then the extortionist likely scraped all of the information from one of these data dumps. Translation: The crook has not been monitoring your every keyboard touch, screenshot, and webcam image. Rather, the delinquent is bluffing—frightening unsuspecting victims into forking over cryptocurrency.
In every case, Have I Been Pwned showed the passwords to have spilled as part of a leaked dataset originating in a 2012 breach of LinkedIn—a relief. So I advised my confidantes to take a few steps. Change the password for any account still using the exposed password. Download a secure password manager to keep track of the new (stronger, I hope) passwords. Apply two-factor authentication , an extra security measure, wherever possible—preferably using apps that serve up one-time codes versus SMS texting. While you’re at it, go ahead and cover up that webcam. (Brian Krebs, another journalist who investigated the scam, has more tips here.)
Ryan Kalember, senior vice president at Proofpoint, a cybersecurity firm, shared my instincts. When I emailed him for his opinion, he recommended, as a first course of action, checking Have I Been Pwned. “If it shows up there, you’re probably fine—this campaign seems highly automated, with just enough tweaking to get through most spam filters and email gateways,” Kalember said. But: “If the password doesn’t show up there, that’s more worrisome, and you should definitely investigate whether you’ve recently clicked on a phishing link for the account where you used that password, or have your computer compromised with credential-stealing malware.”
None of the people who sought my counsel ended up paying the ransom, as far as I know. And none of them, I’m happy to report, suffered any consequences as a result, as far as I know. I certainly have not received any salacious materials featuring their private acts. Thank goodness.
If ever someone tries to scare or intimidate you into performing some action, like paying a ransom, always give the threat extra scrutiny. Criminals are generally not an honest bunch.
