UKC

Just picked up an email in one of my accounts, of a fairly familiar type - it's the 'I have installed a trojan on your computer and used your webcam to film you watching porn movies, so pay me via this bitcoin wallet or I will send the video to all your contacts' one.  The fact that I've never watched porn, and I don't have a webcam, means I'm not taking it too seriously!

However: in this email it mentions one of my passwords.  It claims that it's the password to the email account.  It's not, but it is one of my minor passwords that I use for less important sites.

The really interesting thing is that I am fairly sure that I have never used that password and that email address together; I tend to use a different email address to log into sites that I use that password for.

I'm trying to work out what this means - if I had used the password and email together on the same sites, I'd simply assume that one of those sites had been compromised.  But does this mean that I'm likely to have a keylogger trojan on my PC, and by chance they've simply not connected the password to the correct email address?

Not sure what action I should take, on a scale from ignoring to burning the PC with fire.  It's protected with Windows Defender and nothing more.

'there are only two types of people in the world, those that watch porn and those that lie'

hope that helps! 

Should I ignore this scam email..?

No you should reply to every and all scam emails

Its difficult to tell if they might just have guessed it. Tell us, what is the password you're worried about....?

A good article from El Reg and a very funny read
https://www.theregister.co.uk/2018/10/26/blackmail_video/

Basically it is a total scam and not true. So many sites have been hacked recently that your password is probably all over the place

https://haveibeenpwned.com/ is a good site to check where your details were stolen from, for me it is:

Adobe
Dropbox
Last.fm
Linux Forums

and my passwords were found in Exploit.In and a Spam List. Worry not good person.

Cheers, Josh.  Yes, I'm perfectly happy that the threat itself is nothing to worry about - even if I am lying* about watching porn, the lack of a webcam makes it rather implausible that I've been recorded!

It's the conjunction of one of my passwords, and an email address that I'm fairly sure I have never associated with that password, that makes me stop and think.  If the password and email lined up I would indeed assume it's been compromised in a  breach of some sort.

* If you're reading this, I'm not, darling.

Fairly sure or 100% sure? If it was me personally I would change any sites that use that password (which I could remember [which lets be honest is not many]) and just ignore it. These sorts of things are done on a large scale using a list of email addresses and password pulled from a breach.

It isn't economical any more for scumbags to try to breach standard peoples computers to get this info. If they had breached your computer they would stay quiet and wait for you to login to your online banking.

I was watching porn last night when my sister walked in!

I had no idea she did that for a living

If it was me I'd ignore the scam, but take it as a warning to change my passwords. For people who can't remember all their passwords, you can use a simple method that depends on the title of the webpage you're on. For example, a UKC password might be: VLD,192D. (Add a letter to the UKC letters -> VLD, then a random string of characters that's repeated in all your passwords, then another letter that's from the first group of letters.) Another website might be DEF,192F. Easy to remember. Or pay for a reputable password manager.

Then run a virus scan with defender, and possibly also something like Spybot S&D. If it all comes back clean then move on and forget about it.

Have a look at this too:

https://haveibeenpwned.com/

Edit - beaten to it!

Birthday and favourite pet's name would be handy too.

Cheers.  Windows Defender and Spybot both reporting no issues, so I will stand down.

That's more or less my password strategy, NottsRich - the password that's been picked up is the simple one that I use only for sites where I imagine that I'll never need to come back to them again.  It shouldn't get anyone into any site that actually matters.

And Grandparent's first names, mother's maiden name and primary school you went to...

To be honest during my teenage years enough people walked on me having some quiet time so to speak. So a hacker sending an email to those same people would just be a continuation of the theme.

What's the chance of them actually catching me in that seven second window...

If you've never used the two bits of information together it seems more likely someone has stitched data about you together from multiple sources.

jk

I get loads of these, not quite sure what that says about my browsing habits

My details also appear on those links when i put my address in, along with 17 million others i suspect.

I know if something fishy is going on or has been hacked as have my own domain name and when i register for a new site i always use the site name followed by my domain, for instance adobe@*****.co.uk or dropbox@*****.co.uk makes it pretty easy to track who has been hacked or is selling contact info on to Indian* spammers, can then go onto the site and change it to adobe1@*****.co.uk and blacklist the original one

*other nationalities of spammers are available

I just googled

"myemailaddress pastebin"

and it came back with a flat file with my throw away password in, turns out it is also my UKC password... (changed before posting). If you were ever on Steam have a search of your steam "username" pastebin or "email" pastebin, it might pop up.

Does that not cause or potentially cause any problems with the companies involved?

I know someone who used to do that and when he complained to a particular company about a data breach/selling data, their initial response was to send to their legal dept who wrote to him about unauthorised use of the company name!

Report it to the police on-line fraud people. Our local force has, through their social media, asked for anyone who receives this scam to contact them. It appears that they are working on where it originates and the owners of the bank accounts to which money can be sent. It is a known scam.

Outdated info. That used to be ok some years ago, but not now.

That's the way to go. Then all of your passwords will be big random strings like Am8W6k*#wcB&8*H$ Some managers will go around and change you passwd for you on a regular basis and monitor to see if any of the sites you use have been compromised.

If you're really paranoid, you can use two password managers, but not at the same time. One for your main set of accounts, the second just for financial stuff. The second one you only log in briefly, when you need to access a specific account.

These kinds of human created patterns are childs play to break these days. Unfortunately the best passwords are the ones that a normal human being is incapable of remembering, if you can remember it then it's not secure. At the very least don't give any of your passwords similarities or a logically created structure. For example if the OP's password was created with the system you suggest then the hacker would now have access to every other password that uses the same formula. Once you have the password it becomes quite easy to work out how it was formed and apply it to other sites.

beat me to it!

You should ignore it, but . . . .

           . . . .  in my case they've come back a month later, giving me 50 hours to pay up or all my known world will be privy to whatever I've been doing (oh dear the 50 hours are up) when I could be climbing

Is that in-sist?

https://xkcd.com/936/

You should consider using the TOR browser to NOT watch porn , it's what many hackers use to remain anonymous.

Al

Dammit.  My next qestions was going to be whether I needed to change my password from CorrectHorseBatteryStaple to something else.

Whilst I don't disagree with you, this approach is pretty good fro producing strong passwords that are easy to remember - https://xkcd.com/936/

The main problem with passwords is that IT security people completely ignore human nature and insist on the sort of annoying password rules that ensure they're difficult for humans to remember. The result is that people, being people, either write them down, or use the same one for everything (which is probably a poorly-disguised common word anyway in a desperate attempt to create something memorable). 

IT security people need to take human nature into account and come up with a different approach (e.g. by providing randomly generated concatenated words like the xkcd cartoon linked above).

It really grinds my gears when they roll their eyes and say "when will people learn?". The answer is never. People don't want to learn and professionals should accept that, take it into account, and come up with approaches that people can get on board with.

Gah! You beat me to the link while I was typing my diatribe!

Nope, never had an issue, it's just a registration address, its not like i'm trading on it, can just abbreviate it if i need to.

How do you manage so long?

Er..just asking for a friend.

A second per inch as a rule of thumb..

Oh

(a) ignore it

(b) systematically adopt good password practise

(c) back up important data somewhere else

(d) check your firewall, keep your system up to date and run a virus scan routinely

http://www.scotland.police.uk/whats-happening/news/2018/august/public-to-be...

This was a common scam tried over the summer. Action Fraud did have an article on it but I can't find it on their website. 

As above ignore, delete, consider changing your password, report to action fraud as it lets them know this is still being tried.

Um, isn't that a phishing site?

was the email in amusingly bad  “Engrish” Including brilliant euphemisms? A friend gets a frankly disproportionate amonnt of these from China (with the text apologising for bad English), my favourite euphemism so far is “dashing your doodle” 

Not as far as I was aware? Besides a phishing site tries to pass itself off a legitimate site such as a bank, eBay, PayPal etc to get your login details. This only asks for an email address and just references a database. The guy behind it Troy Hunt is reasonably well known in the IT security world.

Edit: hope that doesn't sound condensing or passive aggressive. Not had coffee yet  

It wasn't that one (I've seen that a few times, and had a good laugh at it).  It's in a similar format but has had a rewrite.  You'd still spot straight away that it was written by someone who doesn't have English as a first language, but it's nowhere near as amusing.

No. Passwords on their own are insecure.

There are good, secure easy to use systems, but they are not in use at many places. The phrase you are looking for is, multi factor.

A simple method is to sms you a magic code that you need to enter for the second stage of authorisation. The banks do this. It's convenient, cheap, the technology is wide spread and relatively secure. There are attacks against it, such as phoning up the phone company and porting the number to a different device. It will stop casual hacks, using harvested credentials.

A better solution, is to use an authenticator app, such as google authenticator. For that, you scan a qr code, and it generates a token that changes every 30 seconds. That way, then need your user name & password and your phone to get the token.

If you use gmail as you main account, turn on two factor auth.

https://www.google.com/landing/2step/

ignore it , i have had the same e mail and my wife has had it twice . 

I get that you've never watched porn

...but just to be on the safe side film yourself 'enjoying some me time' and send it to all your contacts. Hey Presto, the scammers have no leverage. You could even wear a Santa hat and send it instead of the more traditional, but boring, Christmas card.

WOW nice one, I've been done on:

Dailymotion

Lastfm

MoDaCo

Myspace (whatever the Fook that is)

NetEase ??

Onliner Spambot.

Who knew I was so popular, it does make yo wonder though.