Several friends and professional contacts phoned me in a state of panic this summer saying they had received emails from a shady entity claiming to have hacked their computer webcams while they were viewing adult websites. The interlopers threatened to send video clips of these folks doing—well, you can guess—to all of their contacts unless they paid a ransom.
Should they pay? Should they torch their electronics? How does one acquire $1,900 in Bitcoin?
Normally, one might ignore the demands of a random stranger making outrageous claims on the Internet. But these messages bore a troubling bit of information, something that instantly set their targets on edge. “I am aware, [redacted], is your pass word,” the notes began, accurately.
Imagine finding this in your inbox. Subject line: “[your name] – [one of your passwords].” Try not to snap to attention.
Here’s what I advised everyone to do. First, calm down; breathe. Second, check to see whether any accounts tied to that password appear in Have I Been Pwned, a searchable database that identifies what personal information of yours may have leaked as a result of various online breaches. If any accounts that once used that password pop up, then the extortionist likely scraped all of the information from one of these data dumps. Translation: The crook has not been monitoring your every keyboard touch, screenshot, and webcam image. Rather, the delinquent is bluffing—frightening unsuspecting victims into forking over cryptocurrency.
In every case I encountered, Have I Been Pwned showed the passwords to have spilled as part of a dataset originating in a 2012 breach of LinkedIn—a relief. So I advised my counsel-seekers to take a few steps. Change the password for any account still using the exposed password. Download a secure password manager to keep track of the new (stronger, I hope) passwords. Apply two-factor authentication, an extra security measure, wherever possible—preferably using apps that serve up one-time codes versus SMS texting. While you’re at it, go ahead and cover up that webcam. (Brian Krebs, another journalist who investigated the scam, has more tips here as well as an inquiry into who might be behind it.)
Ryan Kalember, senior vice president at Proofpoint, a cybersecurity firm, shared my instincts. When I emailed him for his opinion, he recommended, as a first course of action, checking Have I Been Pwned. “If it shows up there, you’re probably fine—this campaign seems highly automated, with just enough tweaking to get through most spam filters and email gateways,” Kalember said. But: “If the password doesn’t show up there, that’s more worrisome, and you should definitely investigate whether you’ve recently clicked on a phishing link for the account where you used that password, or have your computer compromised with credential-stealing malware.”
None of the people who sought my counsel ended up paying the ransom, as far as I know. And none of them, I’m happy to report, suffered any consequences as a result, as far as I know. I certainly have not received any salacious materials featuring their private acts. Thank goodness.
If ever someone tries to scare or intimidate you into performing some action, like paying a ransom, always treat the threat with extra scrutiny. Criminals are generally not an honest bunch.
If you’ve been the target of a similar scam, I would love to hear from you. Do drop me a line. And stay safe out there.
This article first appeared in Cyber Saturday, the weekend edition of Data Sheet, Fortune’s daily newsletter on the top tech news. To get it delivered to your in-box, sign up here.
