Have you ever received an email from someone claiming to have hacked your computer and obtained proof of you in an embarrassing situation or engaging in inappropriate behavior? Does the sender threaten to expose your dirty secrets to your contacts unless you pay them off in bitcoin? Do they use your own name and email address in the “From:” field, and include your password (usually an old one) in the body of the email as proof that they’ve compromised your computer and accessed your data?
If so, you’re not alone. There’s been a marked increase in this type of phishing scam in the past year. And, except for very rare instances, the people behind these campaigns haven’t hacked your computer. They’ve gotten your credentials as a result of a data breach.
Recent large-scale breaches have affected hundreds of millions of people using popular mainstream applications and websites, and they almost always expose usernames and passwords. In 2013, a breach at Adobe compromised usernames and passwords connected to 153 million users. In 2016, 164 million LinkedIn accounts were exposed in a breach. Other recent mega-breaches include Anthem in 2015, which included not only credentials, but also the protected health information of almost 80 million individuals, Equifax in 2017 which impacted 143 million people, and most recently the Marriott breach, which is currently estimated to have affected 383 million customers.
My data has potentially been exposed in most of the breaches I’ve listed. Odds are your data has been, too. To find out, you can search haveibeenpwned. This is free resource site that allows you to search your email address to determine if your information may have been leaked as a result of an online breach.
Now that you know how someone got your information, what should you do about that email? What you should do is take the same steps as you would in response to any other phishing email. What you should not do is fall prey to the sender’s attempt to scare or embarrass you into a hasty response.
Also, if you stop and take another look at the password the sender included in the email, you’ll notice that it’s probably not a current password – or at least it shouldn’t be. You should always change your password for a breached site to protect yourself not only from hackers actually getting into your account, but also from them using your credentials to successfully catch you in their phishing scam. And, don’t be embarrassed or ashamed; that’s the reaction the sender is trying to elicit.