Keeping Your Online Accounts Safe Against Data Breaches

Subject: hunter2

Hello!

I have very bad news for you. 05/21/2019 - on this day I hacked your OS and got full access to your account [email protected]. Your password is indicated in subject of this email.

So, you can change the password, yes.. But my malware intercepts it every time.

How I made it: In the software of the router, through which you went online, was a vulnerability. I just hacked this router and placed my malicious code on it. When you went online, my trojan was installed on the OS of your device.

After that, I made a full dump of your disk (I have all your address book, history of viewing sites, all files, phone numbers and addresses of all your contacts).

A month ago, I wanted to lock your device and ask for a not big amount of btc to unlock. But I looked at the sites that you regularly visit, and I was shocked by what I saw!!! I’m talk you about sites for adults.

I want to say - you are a BIG pervert. Your fantasy is shifted far away from the normal course!

And I got an idea… I made a screenshot of the adult sites where you have fun (do you understand what it is about, huh?). After that, I made a screenshot of your joys (using the camera of your device) and glued them together. Turned out amazing! You are so spectacular!

I’m know that you would not like to show these screenshots to your friends, relatives or colleagues. I think $858 is a very, very small amount for my silence. Besides, I have been spying on you for so long, having spent a lot of time!

Pay ONLY in Bitcoins!

That’s a scary email, especially when your actual password is in the subject of the email. In my case it was only a previous password I had used in years past, but when I first read the email I was worried that they may have actually had access to my account. The first question I asked, was how did they get my password?

Breaches

On October 3rd, 2013 Adobe had a security breach impacting 38 million users. This breach included usernames, passwords, and credit card details. Many of their customers claim to have not been contacted (I was not contacted), which lead to many not changing their passwords before they were shared and used. This kind of breach happens many times a year with different sized databases, with a lot using weak or no hashing on the passwords. The lists of usernames and passwords from these data breaches are then tried on other popular sites, in hope that a user reuses their password on multiple sites. This is the reason why emails like these can be scary for people that reuse the same password, as this password could actually be their email password or password to an important account.

The purpose of the email

You might be asking yourself, “if a bunch of people have access to my username/email/password, why aren’t they just trying to log into my bank accounts, PayPal accounts, or email account?” The answer to that is because it’s a lot more work than the work they put into the email. If they have access to the data breach from Adobe, they have 38 million people who they can send an email to. While many people will either understand that the email is fake, don’t use adult sites, or don’t know how to send Bitcoin, if 0.01% of people send Bitcoin then the scammer has still made over $3,000,000! That’s all off the simple action of having simple software send almost the same email to each person, with only the subject line changed to show the password.

What you can do

While you can try to make your passwords as secure as possible, the site haveibeenpwned.com has over 424 websites that have been breached in its database. Some of the largest breaches include Yahoo, Equifax, First American Financial Corp., and many others. If you’re reading this and you have at least several accounts on internet sites or apps, you’ve probably been in one of the data breaches. Here’s a few tips on how to secure your online presence:

1. Check haveibeenpwned.com and secure any breached accounts.

You can enter your email and see which services have been breached with that email. I also recommend the password search, as it can let you know if a password has been included in a breach before.

2. For each account, make sure to use a different password.

If one account gets the password revealed, all your other accounts stay safe.

3. Use a password manager to keep track of these different passwords.

Personally I use Master Password which is a nice password manager because your passwords are never uploaded to a server (encrypted or not) while also being free. The best client for desktop is qMasterPassword while the best mobile option is the official app.