Updated October 2024 to include new scare tactics:
An email scam that we initially wrote about in 2018 has been quickly spreading with different variants that claims to have hacked the recipient’s email account and includes a password used by the recipient. One variant further claims to have caught the recipient looking at pornographic websites, and demanding “ransom” in the form of Bitcoin cryptocurrency payment to prevent the release of webcam photos being sent to all the recipient’s contacts. Examples of the “sexstortion” emails are shown below.
If you’re the recipient of such an email you may think “how did someone hack into my email account, and know my password?” The answer: they likely didn’t hack your account.
Here’s how they have information about you: Data breaches from companies such as LinkedIn, Yahoo and countless others have exposed the email addresses, passwords and street addresses of millions of users. Clever scammers have taken widely available information from the data breaches and crafted emails that contain some of that information. If the password used to login to your email isn’t used anywhere else, they likely just forged the email address to make it look like it came from your own account. With the addition of potentially embarrassing information, the “sextortion” scammer asks for Bitcoin cryptocurrentcy to prevent the release of information to everybody in your contact list (which they probably don’t really have).
In summary, just ignore/delete the email and change the password on any websites that match the password in the email. You shouldn’t be using the same password on multiple sites anyways.
To find out if your email address(es) have been exposed in a data breach, you can safely enter your email address in the following websites: Mozilla Monitor and Have I Been Pwned
Also see our top 5 password tips that you need to know.