I’ve been pwned so it's new passwords for the new year
I haven't misspelled 'owned'. I've been pwned, which is another way of saying that my data has been breached. So has the data of customers of Equifax, Marriot, Yahoo, TalkTalk, British Airways to name a few.
What are customers of these organisations supposed to do? Sit back and wait for an email from that company that begins with “we regret to inform you’? What if that message never comes? What if, instead of a notice or alert from a data processor, you get a threatening email from an extortionist?
On my way home, one dark cool December evening, a notification popped up that I had received an email. I was addressed by my username and asked if I recognised a certain password. I did. I had used it in the past but couldn’t recollect where or when.
The sender then claimed they were in possession of a video webcam recording of me while accessing X-rated sites. Umm, nope. That wasn't me. I was then told that I had 24 hours to hand over £1000 in bitcoin or the video would be sent to all my email and Facebook contacts. The person said if I wanted proof that the threat is real I should reply ‘Yes’ to the email, and the incriminating video would be sent to 10 contacts.
Nice try, but nah mate. Pull the other one. I’m naturally a suspicious person and when someone makes a weird request, I think of my best friend who calls BS on everything.
It was unnerving to see that someone had accessed one of my old passwords though. I called a mate of mine who knows more a lot more about IT security than I do. He told me to check my bank account hadn’t been touched, delete the email and don’t pay anyone any money.
At home I started doing some research on this type of message and realised that I am not alone. I came across numerous Reddit threads of would-be victims giving their experiences and responses to this type of scam. In other versions of the scam, the fraudsters use the last digits of a recipient’s phone number. I also found quite a few publications, including Business Insider, had written about the porn blackmail email scam, which is also being called ‘sextortion’. I noticed that most of the search results were from May, July and October of 2018 so I am guessing there was a spike of activity in those months.
Action Fraud, the fraud and cyber reporting service of the UK police published an alert about about this type of phishing scam back in July, giving advice of what action to take if you have received such as email. The advice is; do not reply, perform password resets and use strong separate passwords with 2FA where available, and install the latest software and app updates. Action Fraud advises against paying the extortion fee but if it is too late and you already have, report the crime to the police. If you haven’t, report the attempt to Action Fraud itself. I reported the blackmail attempt but I felt I should have been asked for more details such as the email address of the sender.
Almost all the articles suggest that people who have received this scam run their email through Have I Been Pwned, a website that checks if accounts have been compromised in a data breach. The website told me that I had been ‘pwned,’ a word from gaming culture that means to be completely dominated or annihilated, in three different breaches.
This new year is starting off with new passwords for me.