A SPAM campaign is underway that immediately grabs your attention by letting you know a hacker has your password. The email goes on to reveal supposed details of your browsing habits as well as captured images of you via webcam. The hacker seeks a few thousand dollars as a “privacy fee”.
So how did they get your password? Simple! Poor security on any number of sites you visit. The LinkedIn Data Breach is an example where millions of account credentials were stolen. These usernames and passwords are available to be bought and sold on the dark web. It is likely that a malicious individual obtained a database of compromised accounts, crafted a nefarious message and used a mail merge to send out the emails in bulk.
What should you do? Don’t panic! This is nothing more than a clever SPAM campaign designed to scare you into paying a con artist. You have not been hacked, you don’t have a key logger installed and the hacker isn’t tracking to see if you read the email.
Next, protect yourself and your accounts. Visit https://haveibeenpwned.com to see if your email address and any online accounts were exposed in a data breach. Note that some breaches are part of a “combo list” that do not provide the originating source of stolen information. Change your password on any of the identified sites. Additionally, google your email address and scan the search results for any sites where you may have used the same password.
Moving forward, consider using a password manager and utilize two factor authentication for any site where available.