A Personal Attack
Have you recently received an email with one of your actual passwords in the subject line?
There is a new email attack circulating where the scammers claim they stole your password and hijacked your webcam. Your password was most likely found in one of the many databases of leaked emails/passwords that can be accessed on the Internet.
I know this because it happened to me.
A few days ago, I was trying to track down an old email and ended up looking in my “Junk” mail folder. The subject of one of the emails caught my eye. It displayed one of my personal email addresses followed by an old password that I recall using, long ago, for social media accounts.
Knowing that my mail client is set not to download any remote content, but against my better judgment, I clicked to preview the email. It contained the email below:
After a quick read I knew it was a scam, but the idea that my email address and an actual password was “out there” and up for grabs, was more than a little disconcerting.
I knew that I had been vigilant about changing passwords, have been in the habit of using stronger passwords, and have been using a password manager (1Password) to keep control of logins and passwords. Even with this level of confidence, I spent a few hours checking accounts to make sure that password is not still in use. I actually found one account still using it and changed the password immediately.
After doing a few Google searches I found that this scam has been spreading over the last few months. It appears that my password was leaked from one of the data breaches at Adobe, DropBox, Yahoo, eBay, or myspace (yes, I had a myspace account).
You can check to see if you may be impacted by one of these data breaches here: https://haveibeenpwned.com
This incident just reinforces everything that you have been told about passwords. Unfortunately, though, it can still happen to anyone, which I now know first-hand (and cybersecurity is a large part of what I do for a living!).
You should take steps to protect yourself ASAP!
Check to see if you’ve been impacted by a data breach at the URL above
Use strong passwords
Use a password manager to generate unique passwords for each of your accounts
Where possible, turn on two-factor authentication for services that support it
At the end of the day, this attack was a non-event, but it did cost me time. You can never be too safe, so be smart about managing your passwords.