you're reading...
Information Security, Security

Password blackmail

Well, this one is just rolling and rolling.
Starting in the summer of 2018 some enterprising scammer decided that the vast number of password exposures can be used for a new purpose – directly blackmailing the account holders.

These exposures quite often list both the email address and password for some service or other. Perhaps it’s an email service, perhaps an online shop, perhaps some university, perhaps a fan forum – could be any online service. Hundreds of millions of account credentials have been exposed in this manner.

The blackmail email starts with this information, the email address and password that have been exposed. The subject line often includes both the username and password.

Of course, with most emails the first advice is check the sender. Alas, with a thoroughly vicious email like this one the sender is irrelevant.

You won’t know the sender and the email address with be a consumable / disposable one.

Then we get the blackmail.

Right from the beginning I will tell you there is no such malware installed on any of your computers or mobiles. Therefore the video mentioned could not possibly have been made.

For the vast majority of people this is scary fraudulent- indeed as many people would never be on pornographic websites there would be little fear in this statement.

The problem is that the password mentioned is one the recipient recognises. They have used this password. That is really the point here and why the email is so scary. But we’ll come to that later.

The next section lays out a threat if you ignore this email.

If, as I have stated, no such video could possibly exist this is a hoax, completely without merit of any kind.

Next we come to the blackmail.

Well, in this case a sum of money is required for the sender to delete the offending video. Well, as I have said, the video does not exist so why would you pay to have it deleted? Also, standard advice is to never pay ransoms of this nature. Each person that pays up proves to the attackers that the method is profitable. Also, you have absolutely no guarantee that the sender will delete the email, or (if the threat was real) that they have not accessed other information or left further malware on the system. I reiterate though, no such malware or intrusion has taken place – it is a hoax.

So we’ve decided not to pay. So the sender tries to change our mind.

As I said the email is disposed so tracing it back to a person would be hard. Whether the sum requested is small or large, you’re give a deadline to add to the threat.

Then they repeat the threat with a bit more detail. This is utter nonsense the video is nonexistent!


Alas, the email cannot be entirely ignored. The password is one the recipient recognises.

So my advice is as follows:

  • NEVER pay the ransom
  • Change ALL your passwords
    • This includes both personal and business websites and online services (people have a habit of using the same passwords all over the place)
    • Use a DIFFERENT password on all services and websites (NEVER reuse passwords)
  • Where available, ALWAYS enable multi-factor authentication (MFA)
  • DO NOT link personal services / websites to your corporate email account or vice versa
    • Linking business and personal services places both at risk when there is a breach
    • You may lose control of personal services if you leave the company
  • NEVER reveal Amy of your passwords to ANYONE – including colleagues and IT Support
  • You can CHECK if your email address is listed in any data breaches with services like Troy Hunt‘s HaveIBeenPwned.

And just to say once one; although the email is horrible it is in and of itself a hoax. No video if you had been made, no malware installed on your computer. You should, however change your passwords as advised.

About harlekwinblog

"Thoughts of an idle mind." Information Security professional.


No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: