Recently I was asked by a distressed, not-very-tech-savvy friend to help with a serious problem. She had been getting blackmail emails threatening all sorts of problems if she didn’t cough up a load of money, and it was clear that the blackmailers had access to a couple of her accounts at shopping sites, where she’d been locked out, so it wasn’t a hoax. She said that after contacting the sites concerned, they’d changed her details and let her back in, but then the same thing had happened again. So after listening to this, the first question I asked her was (to me) the obvious one: had she changed her email password yet?
The correct solution is normally the simplest. I assumed that the blackmailers had surreptitiously gained access to her email account, and were just clicking ‘forgotten password?’ at the shopping sites to change the password, then going into my friend’s email to get the confirmation message, and giving themselves access to do what they liked again.
My friend’s response wasn’t what I expected, however (which was an admission that she hadn’t changed her email password). The response was actually much more alarming: “Does my email even have a password?”
I’ll leave you to work out how easy it is for people to get themselves into a position where they don’t know email has a password.
So that was an easy problem to sort – once we’d found out what the email password was, we changed it and the blackmailers could move onto another victim. But how did they get the email password in the first place? You’re probably ahead of me with my second question (“Did you use that password on any other sites?”) and the answer was – equally predictably – affirmative.
What my friend would be horrified to know would be how many sites she’d used had been the victims of password theft over the years. And how easy it is to buy these lists. If the email associated with the stolen password is a webmail service, it’s child’s play to start trying out the combinations to see who uses the same password on their email as on the service where the data had been stolen from. It’s really not sophisticated.
So what can we learn from this? If you really, really can’t use a different password for every online service you use, then at least ensure that your email password is unique and not used for anything else. Also, change it from time to time, just to be on the safe side. That applies to every email account you have.
If you use a password manager (I couldn’t live without one), it’s easy to have a different password for everything, and you’ll never have to type one in again. If you can face it, check out the grisly truth about which of your old passwords are available to bad people at haveibeenpwned.com.
Even if you haven’t had people go as far as accessing your emails, you might have had the blackmail email which claims that your PCs or mobiles have some sort of malware on them, and that the blackmailers know what you’ve been watching and are going to tell the world. They get your attention by quoting your password in plain text in the subject line of a message to you, which is a real shock to those who get it. This one seems to be automated and isn’t a genuine threat, but it’s still scary. More here.