Security Advisory: New Email Scam claiming hackers have your password

Over the past few weeks, some people have received emails from themselves claiming that a hacker has stolen their passwords and hacked their webcam, threatening to expose your data, as well as browsing habits if you do not remit to them some bitcoins valued between $1000-$1500 US dollars.

The hackers use publicly exposed data from massive breaches that have happened across various popular services including Yahoo, LinkedIn and others.

In this new type of email scam, the hacker spoofs your email address appearing as if he has logged into your email account and sent yourself an email. This can be easily achieved and could be minimized following best practices detailed in my earlier post about preventing email spoofing with SPF.

The hackers claim they have your password, which they get from publicly exposed data, and hope to intimidate you into paying them a ransom.

The hackers deploy automated processes to mass email and spoof the users addresses appearing to be sent from their own mailboxes.

Security Best Practices

Whether you are a victim of this email scam, or not — you should follow some best practices to avoid being compromised:

  • Check your password on Have I Been Pwned. It will let you know if the password exists in publicly exposed data from previous breaches.
  • Change your passwords immediately.
  • Ensure the use of strong passwords which contain lower case, upper case, numbers and symbols
  • Ensure your password is unique for every website or service that you use.
  • Use multi factor authentication wherever available.
  • Always make sure you are entering your passwords on secure websites. Learn more on how to check if a website is secured or not here.
  • Make sure you’re using SSL/TLS in your email clients.