Hi everyone! 👋 Someone I know recently got an email informing them that their account had been hacked. The subject of the email had their password and the email went like this:

𝙸𝚝 𝚜𝚎𝚎𝚖𝚜 𝚝𝚑𝚊𝚝, xxxxxxxx, 𝚒𝚜 𝚢𝚘𝚞𝚛 𝚙𝚊𝚜𝚜𝚠𝚘𝚛𝚍.

𝙸 𝚛𝚎𝚚𝚞𝚒𝚛𝚎 𝚢𝚘𝚞𝚛 𝚌𝚘𝚖𝚙𝚕𝚎𝚝𝚎 𝚊𝚝𝚝𝚎𝚗𝚝𝚒𝚘𝚗 𝚏𝚘𝚛 𝚝𝚑𝚎 𝚝𝚑𝚎 𝚗𝚎𝚡𝚝 𝟸𝟺 𝚑𝚘𝚞𝚛𝚜, 𝚘𝚛 𝙸 𝚠𝚒𝚕𝚕 𝚌𝚎𝚛𝚝𝚊𝚒𝚗𝚕𝚢 𝚖𝚊𝚔𝚎 𝚜𝚞𝚛𝚎 𝚢𝚘𝚞 𝚝𝚑𝚊𝚝 𝚢𝚘𝚞 𝚕𝚒𝚟𝚎 𝚘𝚞𝚝 𝚘𝚏 𝚎𝚖𝚋𝚊𝚛𝚛𝚊𝚜𝚜𝚖𝚎𝚗𝚝 𝚏𝚘𝚛 𝚝𝚑𝚎 𝚛𝚎𝚜𝚝 𝚘𝚏 𝚢𝚘𝚞𝚛 𝚕𝚒𝚏𝚎.

𝙷𝚎𝚕𝚕𝚘, 𝚢𝚘𝚞 𝚍𝚘 𝚗𝚘𝚝 𝚔𝚗𝚘𝚠 𝚖𝚎 𝚙𝚎𝚛𝚜𝚘𝚗𝚊𝚕𝚕𝚢. 𝙱𝚞𝚝 𝙸 𝚔𝚗𝚘𝚠 𝚎𝚟𝚎𝚛𝚢𝚝𝚑𝚒𝚗𝚐 𝚌𝚘𝚗𝚌𝚎𝚛𝚗𝚒𝚗𝚐 𝚢𝚘𝚞. 𝚈𝚘𝚞𝚛 𝚎𝚗𝚝𝚒𝚛𝚎 𝚏𝚋 𝚌𝚘𝚗𝚝𝚊𝚌𝚝 𝚕𝚒𝚜𝚝, 𝚜𝚖𝚊𝚛𝚝𝚙𝚑𝚘𝚗𝚎 𝚌𝚘𝚗𝚝𝚊𝚌𝚝𝚜 𝚊𝚕𝚘𝚗𝚐 𝚠𝚒𝚝𝚑 𝚊𝚕𝚕 𝚝𝚑𝚎 𝚟𝚒𝚛𝚝𝚞𝚊𝚕 𝚊𝚌𝚝𝚒𝚟𝚒𝚝𝚢 𝚒𝚗 𝚢𝚘𝚞𝚛 𝚌𝚘𝚖𝚙𝚞𝚝𝚎𝚛 𝚏𝚛𝚘𝚖 𝚙𝚛𝚎𝚟𝚒𝚘𝚞𝚜 𝟷𝟽𝟼 𝚍𝚊𝚢𝚜.

𝙸𝚗𝚌𝚕𝚞𝚍𝚒𝚗𝚐, 𝚢𝚘𝚞𝚛 𝚜𝚎𝚕𝚏 𝚙𝚕𝚎𝚊𝚜𝚞𝚛𝚎 𝚟𝚒𝚍𝚎𝚘, 𝚠𝚑𝚒𝚌𝚑 𝚋𝚛𝚒𝚗𝚐𝚜 𝚖𝚎 𝚝𝚘 𝚝𝚑𝚎 𝚙𝚛𝚒𝚖𝚊𝚛𝚢 𝚖𝚘𝚝𝚒𝚟𝚎 𝚠𝚑𝚢 𝙸 ‘𝚖 𝚌𝚘𝚖𝚙𝚘𝚜𝚒𝚗𝚐 𝚝𝚑𝚒𝚜 𝚜𝚙𝚎𝚌𝚒𝚏𝚒𝚌 𝚎𝚖𝚊𝚒𝚕 𝚝𝚘 𝚢𝚘𝚞.

𝚆𝚎𝚕𝚕 𝚝𝚑𝚎 𝚙𝚛𝚎𝚟𝚒𝚘𝚞𝚜 𝚝𝚒𝚖𝚎 𝚢𝚘𝚞 𝚠𝚎𝚗𝚝 𝚝𝚘 𝚝𝚑𝚎 𝚙𝚘𝚛𝚗 𝚖𝚊𝚝𝚎𝚛𝚒𝚊𝚕 𝚠𝚎𝚋𝚜𝚒𝚝𝚎𝚜, 𝚖𝚢 𝚜𝚙𝚢𝚠𝚊𝚛𝚎 𝚠𝚊𝚜 𝚝𝚛𝚒𝚐𝚐𝚎𝚛𝚎𝚍 𝚒𝚗𝚜𝚒𝚍𝚎 𝚢𝚘𝚞𝚛 𝚌𝚘𝚖𝚙𝚞𝚝𝚎𝚛 𝚜𝚢𝚜𝚝𝚎𝚖 𝚠𝚑𝚒𝚌𝚑 𝚎𝚗𝚍𝚎𝚍 𝚞𝚙 𝚛𝚎𝚌𝚘𝚛𝚍𝚒𝚗𝚐 𝚊 𝚎𝚢𝚎-𝚌𝚊𝚝𝚌𝚑𝚒𝚗𝚐 𝚟𝚒𝚍𝚎𝚘 𝚏𝚘𝚘𝚝𝚊𝚐𝚎 𝚘𝚏 𝚢𝚘𝚞𝚛 𝚜𝚎𝚕𝚏 𝚙𝚕𝚎𝚊𝚜𝚞𝚛𝚎 𝚙𝚕𝚊𝚢 𝚋𝚢 𝚊𝚌𝚝𝚒𝚟𝚊𝚝𝚒𝚗𝚐 𝚢𝚘𝚞𝚛 𝚠𝚎𝚋 𝚌𝚊𝚖. (𝚢𝚘𝚞 𝚐𝚘𝚝 𝚊 𝚒𝚗𝚌𝚛𝚎𝚍𝚒𝚋𝚕𝚢 𝚜𝚝𝚛𝚊𝚗𝚐𝚎 𝚝𝚊𝚜𝚝𝚎 𝚋𝚢 𝚝𝚑𝚎 𝚠𝚊𝚢 𝚕𝚖𝚊𝚘)

𝙸 𝚘𝚠𝚗 𝚝𝚑𝚎 𝚎𝚗𝚝𝚒𝚛𝚎 𝚛𝚎𝚌𝚘𝚛𝚍𝚒𝚗𝚐. 𝙸𝚏, 𝚙𝚎𝚛𝚑𝚊𝚙𝚜 𝚢𝚘𝚞 𝚝𝚑𝚒𝚗𝚔 𝙸 𝚊𝚖 𝚏𝚘𝚘𝚕𝚒𝚗𝚐 𝚊𝚛𝚘𝚞𝚗𝚍, 𝚓𝚞𝚜𝚝 𝚛𝚎𝚙𝚕𝚢 𝚙𝚛𝚘𝚘𝚏 𝚊𝚗𝚍 𝙸 𝚠𝚒𝚕𝚕 𝚋𝚎 𝚏𝚘𝚛𝚠𝚊𝚛𝚍𝚒𝚗𝚐 𝚝𝚑𝚎 𝚛𝚎𝚌𝚘𝚛𝚍𝚒𝚗𝚐 𝚛𝚊𝚗𝚍𝚘𝚖𝚕𝚢 𝚝𝚘 𝟷𝟸 𝚙𝚎𝚘𝚙𝚕𝚎 𝚢𝚘𝚞’𝚛𝚎 𝚏𝚛𝚒𝚎𝚗𝚍𝚜 𝚠𝚒𝚝𝚑.

𝙸𝚝 𝚖𝚊𝚢 𝚋𝚎 𝚢𝚘𝚞𝚛 𝚏𝚛𝚒𝚎𝚗𝚍, 𝚌𝚘 𝚠𝚘𝚛𝚔𝚎𝚛𝚜, 𝚋𝚘𝚜𝚜, 𝚙𝚊𝚛𝚎𝚗𝚝𝚜 (𝙸’𝚖 𝚗𝚘𝚝 𝚜𝚞𝚛𝚎! 𝙼𝚢 𝚜𝚘𝚏𝚝𝚠𝚊𝚛𝚎 𝚠𝚒𝚕𝚕 𝚛𝚊𝚗𝚍𝚘𝚖𝚕𝚢 𝚜𝚎𝚕𝚎𝚌𝚝 𝚝𝚑𝚎 𝚌𝚘𝚗𝚝𝚊𝚌𝚝𝚜).

𝚆𝚒𝚕𝚕 𝚢𝚘𝚞 𝚋𝚎 𝚌𝚊𝚙𝚊𝚋𝚕𝚎 𝚝𝚘 𝚕𝚘𝚘𝚔 𝚒𝚗𝚝𝚘 𝚊𝚗𝚢𝚘𝚗𝚎’𝚜 𝚎𝚢𝚎𝚜 𝚊𝚐𝚊𝚒𝚗 𝚊𝚏𝚝𝚎𝚛 𝚒𝚝? 𝙸 𝚚𝚞𝚎𝚜𝚝𝚒𝚘𝚗 𝚝𝚑𝚊𝚝…

𝙱𝚞𝚝, 𝚒𝚝 𝚍𝚘𝚎𝚜 𝚗𝚘𝚝 𝚑𝚊𝚟𝚎 𝚝𝚘 𝚋𝚎 𝚝𝚑𝚊𝚝 𝚛𝚘𝚞𝚝𝚎.

𝙸 𝚠𝚘𝚞𝚕𝚍 𝚕𝚒𝚔𝚎 𝚝𝚘 𝚖𝚊𝚔𝚎 𝚢𝚘𝚞 𝚊 𝚘𝚗𝚎 𝚝𝚒𝚖𝚎, 𝚗𝚘 𝚗𝚎𝚐𝚘𝚝𝚒𝚊𝚋𝚕𝚎 𝚘𝚏𝚏𝚎𝚛.

𝙱𝚞𝚢 $ 𝟸𝟶𝟶𝟶 𝚒𝚗 𝚋𝚒𝚝𝚌𝚘𝚒𝚗 𝚊𝚗𝚍 𝚜𝚎𝚗𝚍 𝚝𝚑𝚎𝚖 𝚝𝚘 𝚝𝚑𝚎 𝚋𝚎𝚕𝚘𝚠 𝚊𝚍𝚍𝚛𝚎𝚜𝚜:

1LdJv9VGFMFdiTc4ckb*WZZNbwkPXG52bep [𝙲𝙰𝚂𝙴 𝚂𝙴𝙽𝚂𝙸𝚃𝙸𝚅𝙴 𝚜𝚘 𝚌𝚘𝚙𝚢 𝚊𝚗𝚍 𝚙𝚊𝚜𝚝𝚎 𝚒𝚝, 𝚊𝚗𝚍 𝚛𝚎𝚖𝚘𝚟𝚎 * 𝚏𝚛𝚘𝚖 𝚒𝚝]

(𝙸𝚏 𝚢𝚘𝚞 𝚍𝚘𝚗’𝚝 𝚞𝚗𝚍𝚎𝚛𝚜𝚝𝚊𝚗𝚍 𝚑𝚘𝚠, 𝚐𝚘𝚘𝚐𝚕𝚎 𝚑𝚘𝚠 𝚝𝚘 𝚊𝚌𝚚𝚞𝚒𝚛𝚎 𝚋𝚒𝚝𝚌𝚘𝚒𝚗. 𝙳𝚘 𝚗𝚘𝚝 𝚠𝚊𝚜𝚝𝚎 𝚖𝚢 𝚙𝚛𝚎𝚌𝚒𝚘𝚞𝚜 𝚝𝚒𝚖𝚎)

𝙸𝚏 𝚢𝚘𝚞 𝚜𝚎𝚗𝚍 𝚝𝚑𝚒𝚜 𝚙𝚊𝚛𝚝𝚒𝚌𝚞𝚕𝚊𝚛 ‘𝚍𝚘𝚗𝚊𝚝𝚒𝚘𝚗’ (𝚠𝚑𝚢 𝚍𝚘𝚗’𝚝 𝚠𝚎 𝚌𝚊𝚕𝚕 𝚒𝚝 𝚝𝚑𝚊𝚝?). 𝙰𝚏𝚝𝚎𝚛 𝚝𝚑𝚊𝚝, 𝙸 𝚠𝚒𝚕𝚕 𝚐𝚘 𝚊𝚠𝚊𝚢 𝚊𝚗𝚍 𝚗𝚎𝚟𝚎𝚛 𝚎𝚟𝚎𝚛 𝚌𝚘𝚗𝚝𝚊𝚌𝚝 𝚢𝚘𝚞 𝚊𝚐𝚊𝚒𝚗. 𝙸 𝚠𝚒𝚕𝚕 𝚎𝚛𝚊𝚜𝚎 𝚎𝚟𝚎𝚛𝚢𝚝𝚑𝚒𝚗𝚐 𝙸 𝚑𝚊𝚟𝚎 𝚒𝚗 𝚛𝚎𝚕𝚊𝚝𝚒𝚘𝚗 𝚝𝚘 𝚢𝚘𝚞. 𝚈𝚘𝚞 𝚖𝚊𝚢 𝚌𝚊𝚛𝚛𝚢 𝚘𝚗 𝚕𝚒𝚟𝚒𝚗𝚐 𝚢𝚘𝚞𝚛 𝚛𝚎𝚐𝚞𝚕𝚊𝚛 𝚍𝚊𝚢 𝚝𝚘 𝚍𝚊𝚢 𝚕𝚒𝚏𝚎 𝚠𝚒𝚝𝚑 𝚊𝚋𝚜𝚘𝚕𝚞𝚝𝚎𝚕𝚢 𝚗𝚘 𝚜𝚝𝚛𝚎𝚜𝚜.

𝚈𝚘𝚞’𝚟𝚎 𝚐𝚘𝚝 𝟷 𝚍𝚊𝚢 𝚝𝚘 𝚍𝚘 𝚜𝚘. 𝚈𝚘𝚞𝚛 𝚝𝚒𝚖𝚎 𝚠𝚒𝚕𝚕 𝚋𝚎𝚐𝚒𝚗 𝚊𝚜 𝚜𝚘𝚘𝚗 𝚢𝚘𝚞 𝚐𝚘 𝚝𝚑𝚛𝚘𝚞𝚐𝚑 𝚝𝚑𝚒𝚜 𝚎𝚖𝚊𝚒𝚕. 𝙸 𝚑𝚊𝚟𝚎 𝚊𝚗 𝚜𝚙𝚎𝚌𝚒𝚊𝚕 𝚙𝚛𝚘𝚐𝚛𝚊𝚖 𝚌𝚘𝚍𝚎 𝚝𝚑𝚊𝚝 𝚠𝚒𝚕𝚕 𝚒𝚗𝚏𝚘𝚛𝚖 𝚖𝚎 𝚘𝚗𝚌𝚎 𝚢𝚘𝚞 𝚜𝚎𝚎 𝚝𝚑𝚒𝚜 𝚎-𝚖𝚊𝚒𝚕 𝚝𝚑𝚎𝚛𝚎𝚏𝚘𝚛𝚎 𝚍𝚘𝚗’𝚝 𝚝𝚛𝚢 𝚝𝚘 𝚙𝚕𝚊𝚢 𝚜𝚖𝚊𝚛𝚝.

They were scared even though they knew there was no sensitive information which the hacker could have accessed. When I got their call explaining this email I was a bit confused. They asked me how the hacker found their email and password and I wasn’t sure. I started doing some digging and soon realized that this is non-trivial. In this post, I am going to explain how a hacker would get access to your email and password (without even hacking anything) and you definitely should not send any bitcoins to the hacker.

How hackers got your email/password

The hackers get access to a public dump of usernames, emails, and hashed passwords (among other things) from different website hacks. There have been numerous high profile hacks in the last couple of years and the hackers usually put the hacked databases online. These databases usually contain hashed passwords and over time people (hackers and security professionals) can reverse these hashed passwords and get access to plain-text passwords. Usually, these plaintext passwords also find their way to online database dumps.

Now once the hackers have access to the emails and unhashed passwords, they mass email all of these users asking them for money. They usually put the passwords in the subject of the email just to make sure that their email catches the attention of the hacked user. The user reads their password and assumes that the hacker has access to more compromising information about them.

Over the last couple of years some of the high profile breaches are:

• 500px data breach in mid-2018 where details of 15 million users were leaked
• Tumblr suffered a data breach in 2013 which leaked 65 million accounts to the public
• Zynga (the online game developer) got hacked in 2019 leaking details of 173 million accounts

Have I Been Pawned?

Now you might be wondering whether your email and password were ever exposed online as part of a hack. You aren’t the only one wondering that. Troy Hunt (a security researcher) runs an online service, HaveIBeenPawned, where you can type in your email and it will list all the different website breaches in which your email might have been exposed.

Have I Been Pawned is a reliable and trustworthy service and you don’t have to enter your password anywhere. You just type in your email that’s it.

I searched for my email on Have I Been Pawned and found out that my details were leaked as part of 9 separate website breaches.

Please use password managers

If your email is listed as having been leaked as part of a breach you should go ahead and make sure you change the password on all the services where that email is used. The best way to do that is to use a password manager. These tools allow you to set strong and random passwords for your online accounts and then save them in a database. You only have to remember one master password for your email manager and then you can easily see all the other saved passwords.

This is safer because the password manager allows you to create unique passwords for each service so even if a website is hacked you don’t have to go back and change your password on all other services. Moreover, the password managers make sure that your passwords are saved in such a way that even if the password manager itself is hacked your saved plaintext passwords aren’t leaked to the public.

There are numerous easy to use password managers out there:

• Bitwarden
• 1Password
• LastPass

Please stay safe and make sure that before you send any money to hackers you do your due diligence. In almost 99.99% of the cases, hackers are just using public breach data to extort money from unsuspecting users and don’t have any other of your data. In a similar spirit, COVID-19 related spam emails have been making rounds as well. Stay educated and don’t fall for the trap of actually sending any money to these people.

I hope you learned a thing or two in this post. I will see you soon ❤️ 👋