Background

You may have received an email with content similar to the image posted below where the sender claims to have "hacked your account." They bring validity to this claim by presenting a password that you may have used at some point in your life.  Let's first start by saying, in most cases, a majority of the information in the email is false and you should, under no circumstances, click on any link OR send any money to the person sending the email.




What's really happening

A business that holds your personal data was compromised.  This may have been an online presence such as Yahoo!, Target, or any number of other businesses that have suffered a data breach in the past.  The password they are displaying is very likely yours, that much is true.  They did not install software on your computer (in most cases) to obtain this information.  The "hacker" probably purchased your compromised data from someone who has collected that breached data and is attempting to scam you by threatening you to hand over money (usually via Bitcoin or some other untraceable electronic currency). 

Under no circumstance should you click on any link or reply to the email.



What you should do

  1. If this is a password that you still use, change it immediately.
  2. Stop using the same password for multiple websites or services.  Best practice is one password per service.  The password should be as long as allowable by the service.
  3. If the service allows it, enable two-factor authentication.  This typically involves an added step where you must receive a text message after entering your password to reach a website.  This may be a small inconvenience, but it adds another layer of protection.
  4. Use a password service such as 1Password, LastPass or similar where your complicated passwords are remembered by that service and new ones can be generated by the service to create long, random strings that are more difficult to compromise.