An Old Scam With a New Twist


If you have gotten a message from someone who claims to have dirt on you — and shows off, as proof, a password you’ve previously used — here’s what happened.

Q. I just got an email message from someone claiming to be a hacker who broke into my computer and used my webcam to watch me looking at adult websites. That part of the message tipped me off that this was a scam, but the subject line contained an old password that I’ve used before. How did this person get that information?

A. These sorts of online extortion schemes — which try to guilt people into paying off hackers claiming to have compromising information — are nothing new. But a new wave of messages that began popping up in mid-July has stepped up the ploy by showing passwords in the subject headers as attention-grabbing “proof” that someone has deeply burrowed into your computer and has your personal information.

A recent scam message tries to extort money by claiming to have a secretly recorded video based on a hack of the recipient’s computer and knowledge of the person’s password.CreditThe New York Times

As for the inclusion of a real password, after years of database breaches from major sites and services like Yahoo, eBay, Sony PlayStation and dozens of other companies, varying amounts of people’s data are floating around the internet, often for sale on the black market. That data is now being melded into traditional phishing scams.

According to the Krebs on Security blog, several recipients of this particular blackmail campaign observed that the password included in the message was old, some by about a decade, and not currently in use. For those who haven’t changed their passwords in years, the ruse could appear more realistic, and the hustle itself may become fine-tuned as the perpetrators weave in fresher bits of stolen user data.

Updating your passwords frequently is a good security practice. So is adding two-factor authentication to verify your identity beyond the password, by use of unique codes generated by text, authenticator apps or special USB keys plugged into the computer. If you have a lot of passwords to wrangle, keep track of them in a secure password-manager program; Wirecutter, a product review site owned by The New York Times, recommends LastPass.

You can report phishing incidents on the F.B.I.’s Internet Crime Complaint Center site.

Personal Tech invites questions about computer-based technology to This column will answer questions of general interest, but letters cannot be answered individually.

J.D. Biersdorfer has been answering technology questions — in print, on the web, in audio and in video — since 1998. She also writes the Sunday Book Review’s “Applied Reading” column on ebooks and literary apps, among other things. @jdbiersdorfer