The questionable email message that this person was reporting describes how this person’s account had been hacked, how changing the password wouldn’t help, and that it was being held for ransom to be paid in Bitcoin. And, indeed, it appeared to be “From:” this person’s email address.
Variations of this scam even include a password — a password that you’ve actually used.
Even so, “complete BS” is very accurate.
Though, if there is a password, then there is one thing you should do.
Become a Patron of Ask Leo! and go ad-free!
- These messages are nothing more than spam. Mark them as such and move on.
- The messages lie: they do not mean your account has been hacked.
- Email can easily be made to look like it came from your email address without needing to hack your account.
- Even if it includes a password you recognize, it’s probably not related to this account.
- That password was exposed in some prior breach, and you should stop using it.
Here’s an example of what was reported (I replaced the email address with my own – it was indeed the email address of the person asking):
From: firstname.lastname@example.org Date: October 28, 2018 at 4:38:31 AM PDT To: email@example.com Subject: firstname.lastname@example.org is hacked Hello! My nickname in darknet is des53. I hacked this mailbox more than six months ago. Through it I infected your operating system with a virus (trojan) created by me and have been monitoring you for a long time. Even if you changed the password after that - it does not matter, my virus intercepted all the caching data on your computer and automatically saved access for me. ...
And another, this time from my own spam folder, including a password:
From: <email@example.com> To: "arealpassword" <firstname.lastname@example.org> Subject: account was hacked Date: 1 Oct 2018 05:11:52 -0800 Hello! I'm a member of an international hacker group. As you could probably have guessed, your account email@example.com was hacked, because I sent message you from it. Now I have access to you accounts! For example, your password for firstname.lastname@example.org is arealpassword Within a period from July 7, 2018 to September 23, 2018, you were infected by the virus we've created, through an adult website you've visited. So far, we have access to your messages, social media accounts, and messengers. Moreover, we've gotten full damps of these data.
In this example, “arealpassword” represents an actual password I have indeed used in the past — just not for that email account.
There are additional variations, often playing up the adult website angle, or even claiming to have recorded a video that they threaten to release if you don’t pay.
It’s spam, pure and simple
These messages really are nothing more than spam. Mark them as such and move on.
More correctly, they’re a scam: they’re trying to fool you into paying when there’s absolutely no reason to.
Messages like this are sent to thousands upon thousands of email addresses every day. Just like spam. If you have multiple email addresses, you’ll probably see them across many accounts.
I have dozens of email addresses and I get dozens and dozens of these messages. If Gmail hasn’t already identified them as spam, I mark them as such and move on.
The messages lie
These messages garner attention because they try to scare you by lying about what they know.
- They did not hack your email.
- They did not send the message using your account.
- They did not plant a virus on your machine to monitor password changes.
- They did not record video of you watching online video1.
- They do not actually have the password to your email account.
If you take away all these lies, there’s nothing left except spam.
But, they sent “From:” my email address!
The messages only look like they came from your email address.
In reality, using a technique called “From: spoofing“, the hackers simply crafted an email with your email address in the “From:” line and sent it using their own servers, hacked servers, or botnet. Your actual email account was not involved in any way.
“From: spoofing” is nothing new. Spammers have been doing it for years. If you look closely at your spam, you’ll probably see messages “From:” people you know that they didn’t send. That’s because they didn’t. The spammers did, and simply made it look like your friend sent it.
This particular ruse is no different. It’s spam.
But they included a password I actually used!
This is what made the original wave of this spam so unique: it included actual passwords associated with the email address they were sending the scam to. Note that the passwords were not necessarily the actual email account password; they were passwords associated with the account.
Blame breaches. Specifically, if you’ve ever had an account at an online service that suffered a data breach, the password you used at that service might have been exposed at that time.
Here’s the sequence of events:
- You have an email account with a password. Say “email@example.com” with a password “kbrPMkey4AYnfu7fCX5E”.2
- You have an account at somerandomservice.com using an email address — “firstname.lastname@example.org” – and a password — “arealpassword”.
- Somerandomservice.com suffers a data breach and their account database is stolen.
- Somerandomservice.com used poor security, making it possible for the hackers to see both the email address (“email@example.com”) and the password (“arealpassword”).
That’s it. That password is “associated with” your email address because you used it somewhere. It is not the actual email account password.
But it does get your attention. (I know it got mine the first time I saw it.)
One thing to do: change passwords exposed in breaches
Whenever a password you use is somehow exposed in a data breach, it’s important to stop using that password. Anywhere. That’s why the breached service will immediately instruct or force you to change your password.
If you’re using the same password anywhere else, you should change it there as well, to a password unique to that specific account.
Hackers know we’re lazy and often use the same password across multiple different accounts. That’s why when a password is discovered “in the wild,” it’s still a serious thing. Hackers often try that password (along with your email address) at a variety of online services, just in case you reused it there.
This scam has actually done you a small favor: it’s identified a password that you should no longer use anywhere. It’s shown you that this password has been discovered “in the wild”.