Mfcttrf

Sextortion with actual password not found in leaks

Can GPL and BSD licensed applications be used for government work?

Navigating the multiverse of bifurcated parallel realities

I have a domain, static IP address and many devices I'd like to access outside my house. How do I route them?

How may I shorten this shell script?

What's the explanation for this joke about a three-legged dog that walks into a bar?

How could an engineer advance human civilization by time traveling to the past?

Extrapolation v. Interpolation

Why are MEMS in QFN packages?

How important is a good quality camera for good photography?

Character Frequency in a String

Other than a swing wing, what types of variable geometry have flown?

Are glider winch launches rarer in the USA than in the rest of the world? Why?

Company requiring me to let them review research from before I was hired

Can a character with a low Intelligence score take the Ritual Caster feat and choose the Wizard class?

How to write a sincerely religious protagonist without preaching or affirming or judging their worldview?

Why must API keys be kept private?

What the purpose of the fuel shutoff valve?

How can I deal with someone that wants to kill something that isn't supposed to be killed?

Historicity doubted by Romans

how to add 1 milliseconds on a datetime string?

Idioms: Should it be " the internet is a seemingly infinite well of information" or "the internet is a seemingly infinite wealth of information"

What was the rationale behind 36 bit computer architectures?

USA: Can a witness take the 5th to avoid perjury?

Sextortion with actual password not found in leaks

Can people let me know why this command was ran and why he typed "network hacked…clampi foundFound scam site that tricks you into giving them more contact info to remove your existing public infoMessage telling me that I bought something with credit cardSent text by bank I don’t have an account with- Is this a scam?Email from a hacker with my passwordI entered my password in a possible scam website. What should I do?Hacker used my account to place an order, but not my credit card. Why?Why would a scammer not reply with the same email?

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;

3

I have received one of those typical sextortion scams ("drive-by exploit", filmed by webcam (mine has tape on it), pay bitcoin etc.). The thing is that an old password of mine is included (I don't even remember where I used it), but searching the password on HaveIBeenPwned returns nothing (I have previously been notified of two leaks, Last.FM and MyFitnessPal, but those accounts use different passwords).

That got me wondering: since this seems to be a rather old password, how complete are databases like HaveIBeenPwned, and where could I report such a new exploit, other than the authorities?

scam

share|improve this question

edited 9 hours ago

user32849

asked 9 hours ago

user32849user32849

11644 bronze badges

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Anyone can set up a login form and then dump their database on the Internet. It's up to you to make sure this doesn't jeopardize you in any way.
  
  – John Dvorak
  9 hours ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  I don't see how this relates to the question.
  
  – user32849
  9 hours ago
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  No breach site can ever claim to be complete.
  
  – schroeder♦
  9 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Do you know where this password came from?
  
  – schroeder♦
  9 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Unfortunately not.
  
  – user32849
  9 hours ago
  

  
  
  
  

add a comment | 

3

I have received one of those typical sextortion scams ("drive-by exploit", filmed by webcam (mine has tape on it), pay bitcoin etc.). The thing is that an old password of mine is included (I don't even remember where I used it), but searching the password on HaveIBeenPwned returns nothing (I have previously been notified of two leaks, Last.FM and MyFitnessPal, but those accounts use different passwords).

That got me wondering: since this seems to be a rather old password, how complete are databases like HaveIBeenPwned, and where could I report such a new exploit, other than the authorities?

scam

share|improve this question

edited 9 hours ago

user32849

asked 9 hours ago

user32849user32849

11644 bronze badges

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Anyone can set up a login form and then dump their database on the Internet. It's up to you to make sure this doesn't jeopardize you in any way.
  
  – John Dvorak
  9 hours ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  I don't see how this relates to the question.
  
  – user32849
  9 hours ago
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  No breach site can ever claim to be complete.
  
  – schroeder♦
  9 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Do you know where this password came from?
  
  – schroeder♦
  9 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Unfortunately not.
  
  – user32849
  9 hours ago
  

  
  
  
  

add a comment | 

I have received one of those typical sextortion scams ("drive-by exploit", filmed by webcam (mine has tape on it), pay bitcoin etc.). The thing is that an old password of mine is included (I don't even remember where I used it), but searching the password on HaveIBeenPwned returns nothing (I have previously been notified of two leaks, Last.FM and MyFitnessPal, but those accounts use different passwords).

That got me wondering: since this seems to be a rather old password, how complete are databases like HaveIBeenPwned, and where could I report such a new exploit, other than the authorities?

scam

share|improve this question

edited 9 hours ago

user32849

asked 9 hours ago

user32849user32849

11644 bronze badges

share|improve this question

edited 9 hours ago

user32849

asked 9 hours ago

user32849user32849

11644 bronze badges

share|improve this question

edited 9 hours ago

user32849

asked 9 hours ago

user32849user32849

11644 bronze badges

asked 9 hours ago

user32849user32849

11644 bronze badges

asked 9 hours ago

user32849user32849

11644 bronze badges

1 Answer
1

active

oldest

votes

7

While services like HaveIBeenPwned are fairly extensive, there are still many stolen user / password lists that have not been revealed to the public eye. Maybe a company didn't actually disclose what happened, never realized anything happened, and/or no researcher has yet found the list. Unless you somehow find the list that included that password somewhere, there isn't a good option to try and report this incident.

share|improve this answer

answered 9 hours ago

john doejohn doe

7355 bronze badges

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Also worth noting that this is a very common tactic. They find a forum or website somewhere that has SQLi, dump the passwords, find the ones that aren't yet public, then send sextortion emails to that subset of users using the password as false leverage to "prove" that they know something about you that "couldn't" be known unless they had access to your computer.
  
  – Polynomial
  1 hour ago
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f214048%2fsextortion-with-actual-password-not-found-in-leaks%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

7

While services like HaveIBeenPwned are fairly extensive, there are still many stolen user / password lists that have not been revealed to the public eye. Maybe a company didn't actually disclose what happened, never realized anything happened, and/or no researcher has yet found the list. Unless you somehow find the list that included that password somewhere, there isn't a good option to try and report this incident.

share|improve this answer

answered 9 hours ago

john doejohn doe

7355 bronze badges

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Also worth noting that this is a very common tactic. They find a forum or website somewhere that has SQLi, dump the passwords, find the ones that aren't yet public, then send sextortion emails to that subset of users using the password as false leverage to "prove" that they know something about you that "couldn't" be known unless they had access to your computer.
  
  – Polynomial
  1 hour ago
  

  
  
  
  

add a comment | 

7

While services like HaveIBeenPwned are fairly extensive, there are still many stolen user / password lists that have not been revealed to the public eye. Maybe a company didn't actually disclose what happened, never realized anything happened, and/or no researcher has yet found the list. Unless you somehow find the list that included that password somewhere, there isn't a good option to try and report this incident.

share|improve this answer

answered 9 hours ago

john doejohn doe

7355 bronze badges

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Also worth noting that this is a very common tactic. They find a forum or website somewhere that has SQLi, dump the passwords, find the ones that aren't yet public, then send sextortion emails to that subset of users using the password as false leverage to "prove" that they know something about you that "couldn't" be known unless they had access to your computer.
  
  – Polynomial
  1 hour ago
  

  
  
  
  

add a comment | 

While services like HaveIBeenPwned are fairly extensive, there are still many stolen user / password lists that have not been revealed to the public eye. Maybe a company didn't actually disclose what happened, never realized anything happened, and/or no researcher has yet found the list. Unless you somehow find the list that included that password somewhere, there isn't a good option to try and report this incident.

share|improve this answer

answered 9 hours ago

john doejohn doe

7355 bronze badges

share|improve this answer

answered 9 hours ago

john doejohn doe

7355 bronze badges

answered 9 hours ago

john doejohn doe

7355 bronze badges

answered 9 hours ago

john doejohn doe

7355 bronze badges