<div dir="auto">Don't worry about this kind of email. It's a know scam.<div dir="auto"><br></div><div dir="auto">It's very easy to get hand of a stolen password database, and as most people only have one or two passwords, claim you hacked them and have compromising info. But they don't have, don't worry. </div></div><div class="gmail_extra"><br><div class="gmail_quote">On Aug 4, 2018 09:10, "Giles Orr via talk" <<a href="mailto:talk@gtalug.org">talk@gtalug.org</a>> wrote:<br type="attribution"><blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="quoted-text">On 4 August 2018 at 04:47, D. Hugh Redelmeier via talk <span dir="ltr"><<a href="mailto:talk@gtalug.org" target="_blank" rel="noreferrer">talk@gtalug.org</a>></span> wrote:<br><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I received a blackmail message by email. It claimed that they hacked my <br>
system and had compromising videos from my computer's camera.<br>
<br>
As proof, they gave me what they claimed was my password. But I only used <br>
that password on two sites: <a href="http://canadacomputers.com" rel="noreferrer noreferrer" target="_blank">canadacomputers.com</a> and <br>
<a href="http://xpresscanada.com" rel="noreferrer noreferrer" target="_blank">xpresscanada.com</a> (a long-dead Canada Computers site).<br>
<br>
So I'm not worried.<br>
<br>
I informed CC about three weeks ago. They seemed to ignore the<br>
report. I phoned again two weeks ago, and they were interested. I<br>
told them if I didn't hear that they'd informed their customers that<br>
I'd publicize this security breach.<br>
<br>
I've heard nothing else. So I presume that they have not announced it<br>
to their customers.<br>
<br>
Today I got another blackmail message with the same password.<br>
<br>
What do you think that I should do?<br>
<br>
PS: my password is a random string generated by mkpasswd(1) so it would <br>
not have been discovered by an online exhaustive search. They most likely<br>
filched the password file from CC.<br>
<br>
PPS: I'm glad that I don't reuse passwords!<br></blockquote></div></div><div class="gmail_extra"><br></div></div><div class="gmail_extra">Someone at work got a similar email claiming that the emailer had compromising video footage (it was a work account - no cams and very improbable anyway). It demanded bitcoin and gave a hash to deliver it to. But it didn't show a password, so yours is a somewhat nastier and more effective variant. Ours claimed to have footage of the person's "senescence." OMG - you caught me aging?! (Okay, not quite what it means.)<br></div><div class="gmail_extra"><br></div><div class="gmail_extra">As for the password thing ... I really haven't figured out what best practice is on time between notification-of-breach to public reveal. (I went after the Science Centre about their use of SSL2 on their website - where they take people's credit cards - so I have had a peripherally related experience with problem/notification/reveal <a href="https://www.gilesorr.com/blog/science-centre-ssl.html" target="_blank" rel="noreferrer">https://www.gilesorr.com/blog/science-centre-ssl.html</a> ). I'd say a month? But I'd probably start the clock from your three weeks ago email. Although if you didn't tell them _when_ you were going to reveal, that's not totally fair. But it's also weighed against the public damage that's arguably being caused by these emails.<br></div><div class="gmail_extra"><br></div><div class="gmail_extra">The Canada Computers password database breach could have been years ago. But if it was, did they make that known? Did they even know? <sigh></div><div class="gmail_extra"><br></div><div class="gmail_extra">P.S. And I'm glad I've never purchased from their website, only their stores.<div class="signature-text"><br clear="all"></div></div><div class="signature-text"><div class="gmail_extra"><br>-- <br><div class="m_-87735163542149761gmail_signature" data-smartmail="gmail_signature">Giles<br><a href="https://www.gilesorr.com/" target="_blank" rel="noreferrer">https://www.gilesorr.com/</a><br><a href="mailto:gilesorr@gmail.com" target="_blank" rel="noreferrer">gilesorr@gmail.com</a></div>
</div></div></div><div class="elided-text">
---<br>
Talk Mailing List<br>
<a href="mailto:talk@gtalug.org" target="_blank" rel="noreferrer">talk@gtalug.org</a><br>
<a href="https://gtalug.org/mailman/listinfo/talk" rel="noreferrer noreferrer" target="_blank">https://gtalug.org/mailman/listinfo/talk</a><br>
</div></blockquote></div><br></div>