Received a blackmail email from a hacker (1 Viewer)

[The Dotties]

OK, reading this I’ve realised I’ve got a slight problem.
I use LastPass and very happy with it, however the master password is of my own making and I’ve tried to make as hard as I can but still be able remember if.
The last pass suggestion was to difficult to remember when out and about using the phone. I got caught out once when a bank wanted me to log in as a precaution and a cut on my thumb prevented fingerprint log in.
Any ideas. The phone is protected with fingerprints

 

[EML]

Yes it did. The website that I used the password on was compromised. But the password manager means I'm not using the password anywhere else. So worse case, they can see I bought some US candies...

Hmmm... I do pretty much exactly the opposite. 95% of the websites I'm on are completely pointless, or I use them to get technical literature, or pricing, or whatever. I use exactly the same password, or a minor variation, for all these sites, for the simple reason that nobody cares if they're compromised, and I don't care if some hacker somewhere knows the password. If they checked a million websites with that username and password, they'd find another they could get into, but so what? I almost never tell these sites my real name and address, which is the most important thing.

The problem with password managers is that they're a single point of failure, and I don't trust Google/Firefox/whoever any more than I trust myself. Allowing them, or anyone else, to keep a record of your secure passwords is just asking for trouble.

LinkedIn lost all their passwords about 10 years ago, and I used to get lots of these emails with the LinkedIn password. So what.

As an aside, I do a (charity) website for a kids club, and they've recently decided they want to go secure. It's all TLS/SSL now, everyone has their own login, the passwords are hashed and salted on the server, proper session IDs, everything, and it's all pretty much pointless. There's no really 'secure' or identifiable information on the site, but it's what everyone wants now.

 

[Mr Drizz]

What happens when the password manager site gets hacked?

I do have unique often impossible to remember passwords for stuff ever since my login was compromised mid 2000s and a work website was replaced with a nasty insult to me ( hacker specifically targeted me).

So I save passwords to a usb pen drive that’s encrypted. But when that pen drive failed…..

You are reliant on the level of encryption lastpass or any online service use.

^{_{Subscribers  do not see these advertisements}}

 

[JJ]

I suspect I might be pretty difficult to blackmail...

I don't think any of my contacts would be very surprised if a hacker sent them a video of me watching a German "exercise" film...


JJ

 

[I2C]

OK, reading this I’ve realised I’ve got a slight problem.
I use LastPass and very happy with it, however the master password is of my own making and I’ve tried to make as hard as I can but still be able remember if.
The last pass suggestion was to difficult to remember when out and about using the phone. I got caught out once when a bank wanted me to log in as a precaution and a cut on my thumb prevented fingerprint log in.
Any ideas. The phone is protected with fingerprints

To be safe you need a master password at least 20 characters long - a sentence from a book would be fine. This was a recommendation from a white hacker on a professional course I went on in London once via work.

Obviously I won’t be telling you what I use or how I remember it or how long it is…

 

[Gooney]

I've just received the following email:



That is genuinely one of my passwords. And I'm going to ignore it because I know how these scams work.

I've used a password manager for a long time. Every site I use has its own unique password. Therefore I know that this was my password for americanfooduk.co.uk... which I can see from my emails that I bought some Betty Crocker cake icing and some peanut M&Ms from them in 2010.

As that website is dead, I'm assuming that the company went under and its website went dormant. Someone hacked in and stole their user database. Maybe that was why they went under. Regardless, as it was over a decade ago, the database probably wasn't following good security practices, so it was easy for a hacker to extract my password. The hacker then sells or just uploads the details, and they've made their way to this scammer.

Now imagine that I use this password for a lot of things. Suddenly this email is a lot more scary and believable. And they could potentially do a lot more damage. If they carpet bomb enough people, they'll get a nice pay-out.

I'm reporting the bitcoin address to as many places as I can find... Because they are scum.

Please use a password manager!

I received the identical same nasty email about 2 months ago, the sender mentioned a word that i had used as a password in the past, I checked all my passwords and the one they quoted was for a site i'd briefly used in the past and had forgotten about. I traced back via 'TotalAV' and found the company had gone bust or sold on, I also found this companies details had been hacked, the company was 'MyFitnessPal' that had a data breach in Feb 2018, the incident exposed 143,606,147 compromised accounts.... I was obviously very concerned but decided to ignore it. Two weeks later I received a repeat of this mail with some additional 'facts' stating they would send this nasty video to 14 friends from my address book he'd gained access to and for me to imagine the damage that would do to me. Initially some of the facts about keyloggers etc worried me but the more I thought about it I was confident all they had was a single word that WAS part of a password that I'd not used since 2017 so once again I ignored it.

^{_{Subscribers  do not see these advertisements}}

 

[cbrookson]

You can check if your email address or mobile (and therefore the passwords may have been compromised, or you are getting more spam mobile calls) here:
https://haveibeenpwned.com/

Might be of use as a lesson of where this happens ...

Cheers

 

[G-RMPS]

If this a discussion about passwords - no comment!

 

[Podney]

Oh dear! I think I’ll go back to using a quill and just talking to people on the bakelite telephone. If only………

^{_{Subscribers  do not see these advertisements}}

 

[G-RMPS]

Even they had party lines so other folk knew your business

 

[Chris]

I suspect I might be pretty difficult to blackmail...

I don't think any of my contacts would be very surprised if a hacker sent them a video of me watching a German "exercise" film...


JJ

I think some of mine would be disappointed if I didn’t.

 

[Keep Right On]

I had a death threat a year or so ago - if I didnt pay up, he would finalise the contract on me that some jealous business rivals had taken out on me. It was a long email, very detailed and although 96% of me yelled out "scam", there was a little niggling doubt.
Reported it to action fraud and they didnt make me feel any better by telling me they had not come across that one before and suggested I should also inform the local police.
About 4 hours later, action fraud rang back to say they had received 4 other reports and so they were officially downgrading it from threat to scam - a sort of relief but it did unsettle me for a while especially if I went out to the bin at night and heard leaves rustling behind me!

^{_{Subscribers  do not see these advertisements}}

 

[OldCodger]

Rule 1. Never ever ever reuse passwords. Have a different passwords for every site. Why? because the first thing the bad guys do when they get the password for Ima.Sucker@gmail.con is try it on faceache, twatter, hsbc.co.uk to see if it works

Ruke 2 if you get an email like this change the password at all sites where you used that password IMMEDIATELY-and never ever use it again. Why? Because the first thing the bad guys do when they get a password to hack is try it everywhere else.

Rule 3. Change passwords regularly These emails really are hoaxes and rely on old data. I get the damn things but because I change passwords regularly I know the passwords are expired.

Rule 4. Reread rules 1 to 3

Rule 5. Get a password manager. LastPass. 1pass. Plus others are available. They make 1-3 easy.

And if you think I’m wrong - I have $250 million to give away, left to me by my uncle a Nigerian Prince, just send me 30 Bitcoin and it’s yours

 

[EML]

Rule 1. Never ever ever reuse passwords. Have a different passwords for every site. Why? because the first thing the bad guys do when they get the password for Ima.Sucker@gmail.con is try it on faceache, twatter, hsbc.co.uk to see if it works

Ruke 2 if you get an email like this change the password at all sites where you used that password IMMEDIATELY-and never ever use it again. Why? Because the first thing the bad guys do when they get a password to hack is try it everywhere else.

Rule 3. Change passwords regularly These emails really are hoaxes and rely on old data. I get the damn things but because I change passwords regularly I know the passwords are expired.

Rule 4. Reread rules 1 to 3

Rule 5. Get a password manager. LastPass. 1pass. Plus others are available. They make 1-3 easy.

And if you think I’m wrong - I have $250 million to give away, left to me by my uncle a Nigerian Prince, just send me 30 Bitcoin and it’s yours

Ok, really, really, don't do this. It's not necessary, and it's not secure, and it doesn't address the real problem.

Forget the password managers; it's asking for trouble to tell someone on the net all your passwords, or to record all your passwords on any computer, however secure your think your master password is. It's not secure, they're not secure, and you'll pay for it.

Split the websites you visit into the ones that (1) handle your money, (2) the ones that need to know about you (name and address for delivery, etc), and (3) everything else (including porn/dating/etc sites, obvs):

For (1): use 2FA (see above), hide your authorisation device, write down your password, but don't put enough information on the card/piece of paper/whatever so that a burgler who manages to find it could actually log in

For (2): this one is the only problem. People like Amazon need your real name and address, and card details. Try to make sure that they never record your card details, however 'secure' they claim they are. They're not. But this boat has already sailed, unfortunately. Even if you believe that they have deleted your details, their card processors probably haven't (little known fact), and there's nothing you can do about it. Record your username and (complicated) password as for (1)

For (3) - never tell these people your real name and address, or give them any card details. If they haven't got that lot, you're 100% secure, so you can use the same username and password for all of them. If you have to give them your email address, always use a throwaway one (gmail/etc) instead of an important one that could be used to identify you. There's a slight fly in the ointment, which is that hackers may be able to retrieve the IP address of the computers which log into a given website, but 99% of people don't need to worry about this.

Do this, and you can ignore emails which claim they have your password to all porn sites, etc. They're 100% lying; don't even read the email.

BTW, nowadays, you shouldn't use a 'password' for anything secure. You use a 'pass phrase'. Perhaps an obscure sequence of 3 or 4 words that you don't need to write down, with or without spaces. And remember that 90% of security is actual social engineering - if you're hacked, the chances are that they didn't find your password, but that you (unwittingly) just let them in the front door.

One more thing - the hacks you need to worry about are not the ones where they found your password on some other site; it's the ones where the hackers steal entire databases with unencrypted personal information on them. The big high profile one recently (2015) was Ashley Madison. The hackers got names, addresses, and credit card transactions. The hackers don't give a damn about you personally - all their effort goes into the big websites, and getting the user details, to allow ransom demands and large-scale blackmail. No amount of password protection will prevent this.

 

[Minxy]

I don't use a password manager, but then again, I don't go on porn sites and any covert webcam video of me would show me in my boxers, on the sofa, headphones on listening to music, squinting at the screen chuckling at oldmo jokes reading Fun.

OMG ... now that was worth blackmailing you about but now you've told us all it's pointless to do so!

I've been using LastPass with a YubiKey for a long time. I think they got taken over a while ago and people are less certain about them now. There are other good alternatives.

I still do a lot of browsing from my desktop with Chrome, but an increasing amount is on my phone. Whichever password manager you chose, make sure it integrates with the stuff you use. For me LastPass works well with most browsers as well as my Android devices.

If it's not convenient, you won't use it.

Unfortunately you can't use a single Lastpass free account on both laptops AND phones unless you pay for it to be able use on multiple types of devices, alternatively you can have 2 separate Lastpass free accounts, one for each type of device, and copy the info across initially so they match, but you then have to remember to update both as/when necessary, this is what I do as I don't change much on them.

^{_{Subscribers  do not see these advertisements}}

 

[Gaston aires]

This hacking stuff is rife.Netflix informed me that Someone in North America was using my account. I changed password immediately but it makes you wonder how these things can happen.
Phil

 

[DDJC]

Had a couple of these, and they are well written. Ignored them both as they were wrong in so many areas. I haven't watched gerbil porn for years.

 

[Guigsy]

Ok, really, really, don't do this. It's not necessary, and it's not secure, and it doesn't address the real problem.

Forget the password managers; it's asking for trouble to tell someone on the net all your passwords, or to record all your passwords on any computer, however secure your think your master password is. It's not secure, they're not secure, and you'll pay for it.

Split the websites you visit into the ones that (1) handle your money, (2) the ones that need to know about you (name and address for delivery, etc), and (3) everything else (including porn/dating/etc sites, obvs):

For (1): use 2FA (see above), hide your authorisation device, write down your password, but don't put enough information on the card/piece of paper/whatever so that a burgler who manages to find it could actually log in

For (2): this one is the only problem. People like Amazon need your real name and address, and card details. Try to make sure that they never record your card details, however 'secure' they claim they are. They're not. But this boat has already sailed, unfortunately. Even if you believe that they have deleted your details, their card processors probably haven't (little known fact), and there's nothing you can do about it. Record your username and (complicated) password as for (1)

For (3) - never tell these people your real name and address, or give them any card details. If they haven't got that lot, you're 100% secure, so you can use the same username and password for all of them. If you have to give them your email address, always use a throwaway one (gmail/etc) instead of an important one that could be used to identify you. There's a slight fly in the ointment, which is that hackers may be able to retrieve the IP address of the computers which log into a given website, but 99% of people don't need to worry about this.

Do this, and you can ignore emails which claim they have your password to all porn sites, etc. They're 100% lying; don't even read the email.

BTW, nowadays, you shouldn't use a 'password' for anything secure. You use a 'pass phrase'. Perhaps an obscure sequence of 3 or 4 words that you don't need to write down, with or without spaces. And remember that 90% of security is actual social engineering - if you're hacked, the chances are that they didn't find your password, but that you (unwittingly) just let them in the front door.

One more thing - the hacks you need to worry about are not the ones where they found your password on some other site; it's the ones where the hackers steal entire databases with unencrypted personal information on them. The big high profile one recently (2015) was Ashley Madison. The hackers got names, addresses, and credit card transactions. The hackers don't give a damn about you personally - all their effort goes into the big websites, and getting the user details, to allow ransom demands and large-scale blackmail. No amount of password protection will prevent this.

You are right, password managers aren't the ultimate in security, it's better to do it all yourself.

But they are convenient. And, as with most security, you're just trying to make yourself a harder target than the average, so the thief/hacker/low-life moves on to the next mug.

^{_{Subscribers  do not see these advertisements}}

 

[OldCodger]

Ok, really, really, don't do this. It's not necessary, and it's not secure, and it doesn't address the real problem.

The advice from most IT security folks is that it IS the best solution. It’s a common mistake to assume that “all the eggs in one basket” approach is overall less secure.

Although the passwords are all stored in one place, they are encrypted with a very strong system that is virtually un crackable (Yes it is possible but so damned difficult)

It allows for much stronger passwords (my most sensitive ones are 20+ characters of random gibberish) Unique and not guessable.

The password for my manager is as you say a passphrase, 40 plus characters plus a little bit of gibberish at the end and it is that which allows the decrypt of my passwords

I have 200 passwords so remembering them all is impossible- and with “a system” you make things more guessable.

It also doesn’t forget them!

 

[Nick555]

Trusting a 3rd party with your passwords seems a little trusting to me. I do it the other way & have a different email address for each site. The are several email services such as Cotse which offer this. Combine it with a VPN to hide your IP is handy.

Best passwords are 4 words. Kenningsupposejeansummer4! Or something you can remember.

 

[gus-lopez]

I delete all emails without reading except for those replying to me or that I am expecting.

^{_{Subscribers  do not see these advertisements}}

 

[kevenh]

You can check if your email address or mobile (and therefore the passwords may have been compromised, or you are getting more spam mobile calls) here:
https://haveibeenpwned.com/

Might be of use as a lesson of where this happens ...

Cheers

Thanks.
I heard that that site can be well out of date.
There’s this commercial pwned tool: https://www.solarwinds.com/identity-monitor

Looks like at the free level it just reports the last breach

 

[OldCodger]

Thanks.
I heard that that site can be well out of date.
There’s this commercial pwned tool: https://www.solarwinds.com/identity-monitor

Looks like at the free level it just reports the last breach

Have I been pwned is the leader in this password hack field. It can be out of date but it is authoritative and trustworthy. Solar winds were responsible for one of the biggest recent hacks as they had a weakness which allowed hundreds of other sites to be hacked. I’d trust pwned over solarwinds any day

 

[Minxy]

I delete all emails without reading except for those replying to me or that I am expecting.

That's why you ignored mine ... and you said you liked me!

^{_{Subscribers  do not see these advertisements}}

 

[ianthebuilder]

Would he take £1.00 a week ??

 

[OldCodger]

Trusting a 3rd party with your passwords seems a little trusting to me.

You aren’t giving them your passwords- you are giving them encrypted versions of your passwords. You hold the decryption key. You can only unpack the passwords once you have entered your code.

 

[Gromett]

OK, reading this I’ve realised I’ve got a slight problem.
I use LastPass and very happy with it, however the master password is of my own making and I’ve tried to make as hard as I can but still be able remember if.
The last pass suggestion was to difficult to remember when out and about using the phone. I got caught out once when a bank wanted me to log in as a precaution and a cut on my thumb prevented fingerprint log in.
Any ideas. The phone is protected with fingerprints

Possibly a bit late to this.

I use LastPass and the master password I use it easy to remember for me. However, I use 2FA and have a Yubi key to protect it.

2FA is 2 factor authentication. Something you know ( password) and something you own (phone or yubi key)

I don't like using my phone for 2FA as it is as easy to hack as a desktop computer, SMS spoofing or number migration can all cause issues.

I also use my Yubi key to protect many other services such as google, github and many others.

I like the yubi key because it is not connected to the internet, has no battery and is extremely rugged.

Once configured, very easy to use.

^{_{Subscribers  do not see these advertisements}}