Potentially hacked, request for bitcoin. What now?

So I am trying to figure out how to respond to a potential threat.

I got an email this morning that contains a variation of my least secret password. It’s the password I use at sites I don’t care about. Sites where I don’t have a profile and don’t pay for anything. Sites like Udemy or Pinterest (I guess Pinterest, although I looked through Lastpass and see I have a strong password for Pinterest, which I can’t even believe I have, because I actually hate Pinterest and how it forces me to log in to see a picture from Google results. But I digress). The email was written in English by someone without strong English language skills. I think it says it has video of me watching videos as well as all my contacts from FB and my address book. It says I have to give bitcoin or it will embarrass me.

First, this is so fucked up.

I guess it means (or is trying to suggest) that it has video of me jacking off? Who wants to see that? Second, how compromising can this video be? I mean, I guess it’s from the little built-in camera in the lid? Well, shit. That’s just going to show me squinting at the screen. How compromising is that? I think it says it’s going to release the URL of the video, which now THAT could be compromising. But fuck it, I will just DENY EVERYTHING like a future SUPREME COURT JUSTICE.

It says if I give it some bitcoin it will delete all the images and we will be cool. I’m NOT going to do that. But seriously: (really) what should I do?

I’ve never gotten a request like this before.

(And I know I’ve written this in a silly way, and it’s okay to goof around in this thread, but I am seriously interested about what to do, so please offer any thoughts you have, along with any silliness, although silliness certainly isn’t required).

Here is what I’ve done so far:

• I scanned my PC and found two potential threats the Win10 machine. My (quick) research indicates these threats are the kind that pop up ad and take over your browser, but that’s not anything like the threat in this email.
• I looked at Lastpass to see the places I’ve used that password at recently. Nothing really popped up to the top of the list.
• I have thought about the meaning of the way it contacted me and the password it revealed. It sent the email to a custom address, but I use the address everywhere and it’s mapped to my name (tim @ telhajj . com) I’m not sure how much the revealed password (which isn’t an exact match, but is pretty darn close) or the email it used should factor into my analysis.
• I wrote this thread.

Thoughts? Ideas? What else should I do?

Has anyone had anything similar? I’ve heard about ransome happening to big companies, but I’ve never had it happen to me. I have had my share of Nigerian scam letters, but never the password thing. It’s pretty effective! If nothing else, I guess I wrote this.

Throwing on my old investigator hat, let me ask a simple question. Is the partial/varied pw that was sent made up of information that would be publicly available or visible online?

Secondly, you did change your PW at the locations where this semi-accurate or partial version was used?

I could easily see it being a blackmail phishing expedition. Download a list of compromised passwords from previous hacks and then blast emails to everyone they can claiming they have incriminating data, but without enough specifics to confirm, and hope some people are scared enough to comply.

Most actual blackmail schemes I’ve seen are crypto viruses that encrypt important data and then ask for money/bitcoin in order to get the key to decrypt it again.

Just ignore it. Do not reply.

Man, I don’t know how deeply embarrassable you are or what kind of career implications it could have, but I think I’d call their bluff. If anyone wants to watch me jerk it, feel free, I guess. It’s unlikely to be much of a turn-on, and I wouldn’t like to have to explain it to anyone at work, but eh, I think it’s survivable.

Now if it’s videos of you watching illegal porn or killing a puppy or some such, then you might have to pay.

This. This is what is called a “Spear Phishing” attempt. Someone who had enough info to mess with you is attempting to gain a response from which more information can be gathered. Ignore.

This is a known scam. They pull an old password list (which may be a legit former or current password) and use the porn thing to scare you.

Most likely haven’t actually hacked you.

https://krebsonsecurity.com/2018/07/sextortion-scam-uses-recipients-hacked-passwords/

Yep, some random site was hacked and they’re trying to extort without having the goods.

It is not spear phishing. That guy sent out thousands of those emails.

Don’t give it a second thought. And do not reply.

Agree. And 90% of the planet has looked at a website that would be embarrassing, as well as probably Divinyled themselves at a website as well. So that is always the implied threat.

Yeah, that’s what I’m thinking too is just to ignore. I’m not going to pay. I just wondered if there were some other thing to do that I’m not able to think up. It’s sounds like I’m pretty good.

I appreciate it guys. Very encouraging! Thank you.

Well, I would change my password on any sites using that email address. Check out the have I been pwned site to find em. Everybody should do that anyway by the way.

haha, once you’ve published a memoir about your ten year addiction to heroin, all the rest of the embarrassing moments sort of fade into the background. :)

I actually did that a few years ago when I started using Lastpass. But, then I kept using this same password because it’s easy to remember and some sites I just don’t care about protecting. I should probably stop. I don’t think it’s in lastpass anymore, so it would be hard for me to find which sites I use it on. If I go to a site and it’s not in lastpass and not something I want in lastpass, I use this password.

Unfortunately if you used that same email and password elsewhere those sites are now compromised also. And even if the data seems harmless, your privacy matters-- you can glean a lot about a person from their activity on random sites.

But I’m notoriously paranoid about that stuff. I go to great lengths to be ungoogleable.

Oh cool! Didn’t know you wrote a book. Will put that on an Amazon list for next time I buy stuff to read.

Yeah, Tim, I think you just sold two books. :) So the guy did you a favor.

I for one would enjoy watching that video of his facial expressions while jackin’ it. That would be hilarious.

Just got one of those emails today as well. Considering I don’t own a webcam…

Thankfully the password was unique and I traced it to some site that I must’ve bought a grey market CD key off of ages ago, because the name doesn’t ring a bell and there’s no record in my email.