Skip to main content

So this happened: I received an email with my name and one of my passwords in the subject line. And the first words of the email are “Lets get straight to point. Neither anyone has paid me to investigate about you.”

Guess who got the latest sextortion scam email? Yep! Lucky me!

The email goes on to make accusations and to threaten exposing me unless I pay an extortion fee via bitcoin. You can read the text of the email here, as it’s making the rounds and plenty of people have received it. Warning: It’s nasty.

What set this email apart? My password
So it’s a scam. So what, right? Why didn’t I just delete it? Why was it such a big deal to get this email? There were two reasons why this email surprised me: One, I have my spam filter set very high, so I almost never get spam in my inbox. How did this one get past? I don’t know. And two, the subject line included a password that I’ve used a lot and no one would be able to guess. That got my attention right away, believe me!

As soon as I started to read the email, I knew it was a scam, but still: my password! How did they get my password? That’s when I started digging, and learned that more people are paying off these scammers because they see the password and think there might be some validity to the claims made. As Brett M. Christensen at the Hoax-Slayer website says, “The scammers know that if you receive an email that actually includes one of your passwords – even an old one that you no longer use – you may be much more inclined to believe the claims and pay up.”

So again, how did they get my password? When it was stolen as part of a data breach, it turns out.

Has your data been compromised? Find out
One very good lesson was learned with this disgusting email: I found out I could go to https://haveibeenpwned.com and see which data breaches have included my data. I strongly advise you to do this as well. I was shocked to see that my data had been compromised in eight (yes, eight!) different data breaches. That’s where the scammers got my old password.

I reviewed the list and made sure I had updated any necessary passwords or deleted accounts for each of the breaches. Sadly, one was a marketing firm that collects information on people to sell, and there isn’t anything I can do about that—except be annoyed that the information is collected and sold without my knowledge.

Changing old passwords
More good came from this: I then went through and discovered I was still using that old password in some cases. I was able to both change the password where necessary and delete old accounts that I don’t use any more. It was like cleaning out a digital closet! That felt good!

And finally, getting stricter about passwords
The final benefit to this experience was a renewed commitment on my part to using stronger passwords, as well as keeping up with changing passwords on a regular basis. To be more vigilant about your own passwords, follow this advice.

The sense of violation I felt to have this email in my inbox, the fear caused by the threatening tone even though I knew it was bogus, and the sorrow in knowing that there are people out there who will pay the extortion money are all still with me. It’s hard to shake off that negativity, and that angers me more than the actual email. But the scammers gave me a gift: new insights into keeping me and my data safe. I hope you’ll put these insights to work to protect your information as well.