I just got hit with this today
https://nakedsecurity.sophos.com/2018/07/13/sextortion-scam-knows-your-password-but-dont-fall-for-it/

They apparently got my email address (hasn't changed since the 90s) and some super old password (also from the 90s) to try to scam me out of money. Now I do google porn but my webcam has been disabled since I got this laptop. Nice try, not.

Unfortunately I did still use that password for wifi (easy to remember) and my Amazon password was also an oldie from when Amazon first started. So to be safe I updated those (pita to get back into modem and extender, change wifi passwords and reconnect a dozen+ devices, hence I never did it)

Still a bit concerning to find out my email and some old password are out there :/

And here was I eager to see your leakages.

I got something like this years ago. But it was a bit different, it didn't reveal a password. It did manage to read my contacts and randomly pulled two names of people who would be informed though. Pretty funny that it happened to pick a local pizza shop, what a way to scare me!

Yeah me too, it's just that one password I use for low risk stuff. I might have used it once for some one time use website to send a card or something. Or maybe the psn hack got it although that shouldn't have your wifi info. The rest of my passwords are all different random strings of characters.

A new one for me although this scam is already 2 years old. Meanwhile the apple / amazon / netflix scams continue almost daily. Is there no law against this stuff that it continues to go on at this scale? They're starting to look closer and closer to the real thing. Of course never ever click on anything inside an email, and only open attachments from people you are expecting to send you them.

What is wrong with me?

I use various passwords tho some repeat I admit. I don't have a webcam. Well I kinda do in the laptop but it's set up like a desktop for space reasons so the lid is never open. I should create even more passwords since I do use Lastpass anyway.

Good man!

Here's the email for your reading pleasure

I'mFaware,N********,cisTyourkpassword.cYounmayrnotGknowPme,jandhyouwareSmostOlikelyrwonderingEwhyoyou'rejgettingUthisBmail,Sright?L

Overview:

IxinstallediaymalwarewonLtheHadultbvidsB(sexVsites)msite,bandathere'sKmore,XyouuvisitedzthisxsiteftohhavezfunL(youvknowiwhatPIMmean).fOnceqyouSwereetherefonktheDwebsite,nmyAmalwareYtooklcontrolqofQyourgbrowser.JIthstartedroperatingjasaatkeyloggereandSremoteFdesktopdprotocolzwhichNgaveqmeeaccessvtoJyourjwebcam.jImmediatelyoafterTthat,umyvsoftwareEcollectedmyourAcompleteCcontactsvfrombyourbMessenger,OFB,Landremail.sTIYcreatediacdouble-screenfvideo.OFirstvpartNshowsztheDvideoIyoutwerehwatchingw(youthaveMaGgoodMtasteylolk.n.t.),eandrtheisecondMpartKdisplaysktheHrecordingAofUyourFwebcam.Q

PreciselyMwhatTshouldfyouFdo?

Well,mIwbelieve,v$1900jisKaWfairHpriceLforVourtlittleCsecret.EYouGwillRmakeitheSpaymentHthroughmBitcoiny(ifsyoutdon'tOknowjthis,XsearchP"howqtoebuyUbitcoin"ginEGoogle).l

BTCsAddress:Z
bc1qmmksuk7fqzg5l9rkkm6pp5vkfsrjqd5kffsfsg
(ItgisOcaseCsensitive,NsoecopyYandKpasteKit)

Note:

YoudhavegoneLdayytotmakeithespayment.D(I'vesalspecificYpixelvwithinSthisOmessage,nandvnowYIFknowOthatWyouyhavewreadZthroughHthisMemail).UIfRIedounotUreceiveDthejpayment,MINwillNsendryourmvideotrecordinggtokallmofayourLcontacts,Xincludingqyourmrelatives,Zandicolleagues.mHowever,TifJIkdoWgetMpaid,ltheZvideocwillXbeMdestroyedeimmediately.iIfMyoubneedzevidence,XreplyKwithV"Yes!"FandyIkdefinitelyjwillPsendbyourYvideoKrecordingqtotyourH10zcontacts.XThisRisuaunon-negotiableloffer.BPleaseMdon'tXwasteTmyNpersonalZtimeeandryoursfbyYreplyingKtozthisYemail.

Magdalena

I'mFaware,N********,cisTyourkpassword.cYounmayrnotGknowPme,jandhyouwareSmostOlikelyrwonderingEwhyoyou'rejgettingUthisBmail,Sright?L

Overview:

IxinstallediaymalwarewonLtheHadultbvidsB(sexVsites)msite,bandathere'sKmore,XyouuvisitedzthisxsiteftohhavezfunL(youvknowiwhatPIMmean).fOnceqyouSwereetherefonktheDwebsite,nmyAmalwareYtooklcontrolqofQyourgbrowser.JIthstartedroperatingjasaatkeyloggereandSremoteFdesktopdprotocolzwhichNgaveqmeeaccessvtoJyourjwebcam.jImmediatelyoafterTthat,umyvsoftwareEcollectedmyourAcompleteCcontactsvfrombyourbMessenger,OFB,Landremail.sTIYcreatediacdouble-screenfvideo.OFirstvpartNshowsztheDvideoIyoutwerehwatchingw(youthaveMaGgoodMtasteylolk.n.t.),eandrtheisecondMpartKdisplaysktheHrecordingAofUyourFwebcam.Q

PreciselyMwhatTshouldfyouFdo?

Well,mIwbelieve,v$1900jisKaWfairHpriceLforVourtlittleCsecret.EYouGwillRmakeitheSpaymentHthroughmBitcoiny(ifsyoutdon'tOknowjthis,XsearchP"howqtoebuyUbitcoin"ginEGoogle).l

BTCsAddress:Z
bc1qmmksuk7fqzg5l9rkkm6pp5vkfsrjqd5kffsfsg
(ItgisOcaseCsensitive,NsoecopyYandKpasteKit)

Note:

YoudhavegoneLdayytotmakeithespayment.D(I'vesalspecificYpixelvwithinSthisOmessage,nandvnowYIFknowOthatWyouyhavewreadZthroughHthisMemail).UIfRIedounotUreceiveDthejpayment,MINwillNsendryourmvideotrecordinggtokallmofayourLcontacts,Xincludingqyourmrelatives,Zandicolleagues.mHowever,TifJIkdoWgetMpaid,ltheZvideocwillXbeMdestroyedeimmediately.iIfMyoubneedzevidence,XreplyKwithV"Yes!"FandyIkdefinitelyjwillPsendbyourYvideoKrecordingqtotyourH10zcontacts.XThisRisuaunon-negotiableloffer.BPleaseMdon'tXwasteTmyNpersonalZtimeeandryoursfbyYreplyingKtozthisYemail.

Magdalena

Edit: well that's odd, pasting this email is a mess... looks alright in edit mode. Second time I tried ctrl shift v, bigger mess.
Ah, the spaces are actually white on white random letters, to circumvent filters I guess.



I redacted the password, not that it matters anymore, wifi security updated.
Not that I visit porn sites anyway, no need with image search programs lol.

And indeed, even if the webcam was operational, at most the top of my head would be visible... Nothing like the nudes and webcam sessions I had with my wife in the past lol. She probably has some compromising pictures on her phone, although compromising is the wrong word, flattering is a better word.

What's the max length of a password that's actually used/stored on sites though? Some random sentence might sound safe, but if the site only checks the first 10 characters or so :/ Then try to remember 40 different random sentences for stuff you maybe only access a few times a year. Write it down somewhere safe. There's only 2 (difficult) passwords I remember, the one for my bank and the one for my email, since every password reset request goes to my email. That's the most vulnerable point. That's my Microsoft password now which I also unlock my laptop with every day, so won't forget it. Of course if MS gets hacked :/

Yeah, this has been going on for a while. I got one maybe last year of the year before that too, and I think it was already old by then. A good reminder though. The passwords are probably from leaks from other services and they're just guessing you're still using the same email address and password everywhere else because it's a fairly good guess.

Any service that does password security well doesn't, in practice, restrict password length, because the password itself is never stored but only used to calculate a fairly short value. I mean, there might be some really high restrictions, but in practice, you shouldn't run into them. Poorly designed services are another thing though...

Anyway, you'll want to use a different password everywhere. Password managers are what's considered an acceptable solution to 'remembering' all the passwords these days. That way, you only need to remember one password.

Someone tried that with me not too long ago. Laughed it off and deleted the email. Then I shook my head at the site with poor password security.