Skip to content
Thoughtful, detailed coverage of everything Apple for 28 years
and the TidBITS Content Network for Apple professionals
A webcam.

Photo by Aksa2011

7 comments

Beware New Bitcoin Extortion Scam That Uses Stolen Passwords

On Krebs on Security, Brian Krebs writes about a new email scam making the rounds. As with previous scams, the sender claims to have pictures of you watching pornography captured from your webcam and threatens to publish the images unless you hand over a hefty Bitcoin payment. A new twist makes it more convincing: the extortion message includes an old password for an online account connected to your email address. Krebs suspects that these passwords are being extracted from the many password breaches that have occurred over the years, and he worries that this type of attack will become more sophisticated and convincingover time. For now, if you receive one of these messages, just ignore it, and make sure to use a strong, unique password for each of your online accounts, which is easy if you use a password manager like 1Password or LastPass.

Read original article

Subscribe today so you don’t miss any TidBITS articles!

Every week you’ll get tech tips, in-depth reviews, and insightful news analysis for discerning Apple users. For 28 years, we’ve published professional, member-supported tech journalism that makes you smarter.

Registration confirmation will be emailed to you.

Comments About Beware New Bitcoin Extortion Scam That Uses Stolen Passwords

Notable Replies

  1. I just received one in my SPAM filter as I’m reading this article. What will they think of next?

  2. Thanks to 1Password I wouldn’t even recognize a password I use at any web site.

  3. “For now, if you receive one of these messages, just ignore it, and make sure to use a strong, unique password for each of your online accounts, which is easy if you use a password manager like 1Password or LastPass.”

    There is one caveat to that, Josh, it should end like this: "…or LastPass, IF the website accepts the form of the generated password."

    To many websites so severely restrict what form of an acceptable password, that 1Pwd/LP generated passwords are considered unacceptable. Here is an example from a U.S. Government site:

    The PASSWORD MUST:

    be 9 to 30 characters in length
    contain at least one uppercase letter (A-Z)
    contain at least one lowercase letter (a-z)
    contain at least one number (0-9)
    contain at least one of the following special characters: # @ $ % ^ ! * + = _
    change at least four characters from your previous password
    

    The PASSWORD CANNOT:

    contain spaces
    be one of your last five previous passwords
    

    The PASSWORD will expire in 150 days.

    It is only hit or miss if a random 1Pwd-generated password meets those requirements.

  4. Here is an example from a U.S. Government site

    The operator of that site should be asked to review “NIST Special Publication 800-63-3 Digital Identity Guidelines”

    https://doi.org/10.6028/NIST.SP.800-63-3

    If you set up 1Password’s password generator to, say, generate a 30-character password with 3 digits and 7 symbols, you are almost certain to generate an acceptable password on the first try.

    –Ron

  5. What? You expect one U.S. Government agency to change because another U.S. Government agency did?! :rofl:

    BTW, the overall owner of the site in my example is the Department of Defense!

    Thank you for the suggestion, I’ll look into it at my next mandatory change.

  6. Hope springs eternal, I guess.

    The DoD is currently getting a certain amount of flak from Congress about their failure to follow NIST guidelines when it comes to infosec issues. Apparently, NIST reports have some actual statutory or regulatory weight with other departments beyond just being suggestions. If you complain, there is a chance that memoranda will be issued. Who knows, perhaps a task force or subcommittee will be formed. If you’re really lucky, a report might get issued. Progress!

    At the state government level, I have worked with web site maintainers who basically said that they had thrown in the kitchen sink on password requirements in order to deflect criticism should they get breached. They were actually grateful to have official guidelines to follow so instead of “I just made it as complicated as I possibly could” they can say “I followed best practices as put forth by the National Institutes of Science and Technology.” As these decisions are often made my individual developers operating in a relative vacuum (yes, even at DoD), it can be surprising how much difference it can make.

    –Ron

  7. Those rules are very similar to the ones for Citizens One, the bank that administers the iPhone Upgrade Program. Super annoying.

Join the discussion in the TidBITS Discourse forum

Participants