What The…? Hacker Knows My Password?!

A very common scam is an email demanding payment for not sharing embarrassing video of you, which the scammer claims to have obtained by breaking into your computer. To prove this, they quote your own password to you!

The good news is, this is a scam and you can ignore it. It does not mean someone has broken into your system.

But… how did the hacker get your real password?

The answer is that you have signed up to many internet websites and provided your email address and a password. At some point, one of those sites was hacked and the user database containing the email addresses and passwords was extracted. These database are then often sold, so they are widely and easily available.

The issue is that you are trusting your password to a website, but some websites store these passwords securely, and some not-so-securely.

For a website to store a password securely means storing it in an obfuscated form called a hash, which is derived from the original password and cannot be algorithmically reversed back to the password. For example, the hash of the word “password1” using the SHA1 algorithm is E38AD214943DAAD1D64C102FAEC29DE4AFE9DA3D. Given the hash, it is impossible to calculate to the original word. However, some hashes have already been calculated, and simple passwords can be brute-forced, so in practice some hashes are not very obscure. Modern websites use algorithms such as Bcrypt which is unbreakable but simpler hashes such as SHA1 are potentially breakable if the original password is not sufficiently random and long.

So when you receive an email quoting your own password, all that's happened is the scammer is sending emails to anybody from a website breach database where the password was either stored weakly and/or the password itself was fairly weak.

If you want to see which sites were potentially breached with your email address, enter it at the Have I Been Pwned? service. (This is not complete list of every database breach — it only contains known breaches for which the breached data could be accessed, but it does give you an idea of where your stolen password might have originated.)

You can also get an idea about how often your stolen password was seen in various breaches using the HIBP Password lookup.

What To Do Now

Despite the harmless nature of the scam email, the fact remains your email/password is out in the wild and other hackers are using it to break into all sorts of other accounts — this is called credential stuffing. You will be particularly vulnerable to this if you used the same password across many sites. The remedy is straight-forward although tedious: in the first instance, change the password on every service that used the leaked password. If you're not sure, change every password everywhere. This might take you several hours but it will be an excellent investment in your online security.

If your machine is managed by Cadzow TECH, use the Cadzow Password Tool to create secure, random passwords for this task.

See also Protecting Yourself After Virus Infection, Phish Attack or Theft, and while you're at it, consider whether your credit card and smartphone PINs are too weak.