Having an unique username/password combination for each website is revealing to be a near impossible task. Although there are websites supporting complementary login mechanisms, such as OTP (One Time Passwords) or 2FA (Two-Factor Authentication), there are some websites still offering the plain old username and password inputs.
When facing other website asking for registration, we typically use the same e-mail on every other website. And if we use the same username, why not using the same password? Unfortunately, this lazy behavior brings a problem: it means that if some website password is compromised, hackers may try to use the same username and password in other popular websites. And succeed in many cases.
This problem is even worse if the password is the one used to login on e-mail. This is a starting point of our digital lifes, meaning hackers not only can reset other passwords at will, but also have access to possibile sensitive information. But does it really happen? Do really hackers try to do something with passwords discovered on compromised websites?
Reusing passwords and Bitcoin blackmailing
When checking my spam folder, I found a particularly interesting e-mail:
Save your life - <password>
<password> was a password which I actually used several years ago (and yes, I also reused password on the past, so I’m getting my lesson here :) ). That particular password was only used for disposable accounts, so no major worries. I decided to give the e-mail a read just to understand what it was about (I will omit some parts for privacy):
I know your password is: <password> I infected you with a malware (...), I have been observing your actions. The malware gave me full access and control over your system, meaning, I can see everything on your screen, turn on your camera or microphone (...) I have also access to all your contacts, I collected everything private from you, pictures, videos, everything!
I would be concerned if it was a critical password. But there’s more:
And I MADE A VIDEO SHOWING BOTH YOU (through your webcam) AND THE VIDEO YOU WERE WATCHING (on the screen) WHILE STATISFYING YOURSELF! I can send this video to all your contacts (email, social network) and publish all your private stuff everywhere! You can prevent me from doing this! To stop me, transfer exactly: <1234>$ with the current bitcoin (BTC) price to my bitcoin address. (...) My bitcoin adress is: 1HB3KtKoguFuZ4BdmCv9Fc4tYTwDQgmqmW
Long story short, the hacker “got into” my computer and demands a Bitcoin payment. Naturally nothing of that happened, and I will not pay a cent for sure. Looking online for similar behavior, I found that I was not the only target: there are hundreds of people that had received the same e-mail, only changing the password which was customized for each recipient (the e-mail was probably associated with the hacked password on the compromised website.)
Take a look at the Bitcoin wallter transactions. There are some payments done with a similar amount which was asked on the e-mail I received, meaning that some individuals are actually falling for the scam, or the hacker is just sending money to himself suggesting others are paying and we should to. At Bitcoin Abuse, there are several reports of this Bitcoin address unmasking this scam which started a few days ago.
The hacker knows my password!
If you use the same login combination for every website, hackers can try to access other popular services (such as Instagram or Twitter), gather information, open new accounts under our e-mail address, or simply doing nothing, waiting until the best time to blackmail (although rare because hackers prefer mass targets, but still possible). In such situation, the common advise is to not pay anything to hackers and change all password immediately. Specially e-mail passwords, you should use Multiple Factor Authentication to enhance your protection.
About not reusing passwords, it’s another story. Our brains were not developed to memorize hundreds of random combinations, so best suggestion I have is to use a password manager like Keepass. You can also consider the passphrase technique, creating a list of easily memorable passwords. Both options don’t reduce the amount of passwords you need to handle, but giving that passwords are still in place, they are the only way to defend ourselves in the online world.