Sextortion with actual password not found in leaks

Question

I have received one of those typical sextortion scams ("drive-by exploit", filmed by webcam (mine has tape on it), pay bitcoin etc.). The thing is that an old password of mine is included (I don't even remember where I used it), but searching the password on HaveIBeenPwned returns nothing (I have previously been notified of two leaks, Last.FM and MyFitnessPal, but those accounts use different passwords).

That got me wondering: since this seems to be a rather old password, how complete are databases like HaveIBeenPwned, and where could I report such a new exploit, other than the authorities?

Anyone can set up a login form and then dump their database on the Internet. It's up to you to make sure this doesn't jeopardize you in any way. — John Dvorak, Jul 24 '19 at 15:16
Interesting you mention MyFitnessPal - I had the same email this morning, to an address I rarely use online, with an old password. I also went to HaveIBeenPwned and the only site that comes up for that email is MyFitnessPal, and same as you the password for that was different anyway (I still changed it though). I did a deep dive through Last Pass to find anywhere else is used that password (it brought up a few really old logins I haven't used in years), so it may have been any of those (they'll all get updated) — Midavalo, Jul 25 '19 at 04:36
Many dataleaks are hash only. In those cases whether your password gets "de-hashed" is only a matter of how much effort an attacker puts on. So a random guy might obtain the leaked data and decide "fuck this guy" and put all his might to find your specific password from that leak, while the rest of the world doesn't care about your hash that was leaked. — Giacomo Alzetta, Jul 25 '19 at 07:34
I've received lots of these showing passwords / sites that don't show on HaveIBeenPwned. There are obviously breaches that have occurred which haven't been made public / for which the dumps haven't made their way onto HIBP. In my instances the passwords came from a jobs site and an IT consumables shop (plus some others that looked plausibly like passwords I'd have used 10+ years ago but have no record of). — Eborbob, Jul 25 '19 at 10:34
@RonJohn I think they just sent a message implying that they filmed him ("we have full access to your system and can see you naked through your webcam, we have this password to prove it"). As in they didn't ever have access to the webcam, but they're hoping OP believes them. — JMac, Jul 25 '19 at 11:40
It is also worth noting that HaveIBeenPwned will not show you breaches for more sensitive (adult) sites like AshleyMadison unless you go through the email verification process to prove that you own the affected email, associated with the breach record. — shellster, Jul 25 '19 at 17:21
My PW is relatively strong, though not random, and I don't have accounts on "sensitive" sites. I Also don't believe I have been specifically targeted, The email is rather amateurish ("we had full access to your computer, but now we have removed any trace of our malware so you have no prove" - like that ever happens :-D) — user32849, Jul 26 '19 at 05:57

score 57 · Answer 1 · answered Jul 24 '19 at 15:20

57

While services like HaveIBeenPwned are fairly extensive, there are still many stolen user / password lists that have not been revealed to the public eye. Maybe a company didn't actually disclose what happened, never realized anything happened, and/or no researcher has yet found the list. Unless you somehow find the list that included that password somewhere, there isn't a good option to try and report this incident.

answered Jul 24 '19 at 15:20

john doe

648
4
15

32

Also worth noting that this is a *very* common tactic. They find a forum or website somewhere that has SQLi, dump the passwords, find the ones that aren't yet public, then send sextortion emails to that subset of users using the password as false leverage to "prove" that they know something about you that "couldn't" be known unless they had access to your computer. – Polynomial Jul 24 '19 at 22:37
19

I'd be slightly surprised if they bother filtering out accounts listed on HaveIBeenPwned. To fall for the scam you already have to not know about the scam and not know where to look to find out that it's a widely-reported scam. To *also* not know about HaveIBeenPwned isn't much of a leap from there, so the scammers might as well send it anyway. – Steve Jessop Jul 25 '19 at 13:05

520 · Answer 2 · 2019-07-25T10:30:01.830

6

Services like HaveIBeenPwned only store passwords that have been publicly leaked in attacks. They have no way of knowing if you have changed your password since, and they have no way of knowing if your password has been leaked via other means.

EDIT: just noticed that you were searching your passwords on there. You might have better luck searching usernames or email addresses

edited Jul 25 '19 at 10:30

answered Jul 25 '19 at 10:19

520

723
3
5

score 3 · Answer 3 · answered Jul 26 '19 at 03:27

To add, Troy Hunt has previously stated that there are occasions where he has been in receipt of compromised credentials and has decided NOT to include those in HIBP.

https://www.troyhunt.com/the-red-cross-blood-service-australias-largest-ever-leak-of-personal-data/

"As a result, I offered to permanently delete the copy I was sent and not load it into HIBP. As of Thursday evening, that's precisely what I did - permanently deleted every trace of it I had. This isn't unprecedented, I took the same steps as part of the clean-up in the wake of the VTech data breach and for all the same reasons it made sense then, it makes sense now. As with VTech, this should give those who were exposed in the incident just a little bit more peace of mind that their data has been contained to the fullest extent possible."

In practice, the ones in HIBPe will have already been in circulation amongst the 'bad guys' for some time, and have either already been exploited or have been determined to be not worth the effort.

Sextortion with actual password not found in leaks

3 Answers3