author photo
By Bob Sullivan
Tue | Jul 24, 2018 | 3:54 AM PDT

It was an email from a stranger that David Cotie couldn’t just ignore:

“I’m going to cut to the chase. I’m aware [XXXX] is your password. Most importantly, I am aware about your secret and I’ve proof of it.”

The password (which I’ve seen, but omitted here) was accurate. Whoever the writer was, he had Cotie’s actual password—an old one, anyway. And he claimed to have much more.

“I installed a malware on the adult video clips (porno) and you visited this site to experience fun (you know what I mean),” the email says.”I then gave in much more time than I should’ve digging into your life and made a double screen video. 1st part displays the recording you were viewing and 2nd part shows the video from your cam (its you doing dirty things).”

The writer goes on to demand $3,200 in bitcoins to “forget” the incident. Otherwise, the sextortionist writes, he’ll send the incriminating video to all of Cotie’s friends and email contacts. Cotie is also warned not to “call the cops.”

[ MORE: Stay ahead of cyber threats with training and solutions at a SecureWorld conference near you. See the fall 2018 schedule. ]

“You now have 48 hours to make the payment,” the note says. “You better come up with an excuse for friends and family before they find out. Nonetheless, if I do get paid, I’ll destroy the recording immediately. It’s a non negotiable offer, thus kindly don’t ruin my time & yours. The clock is ticking.”

Cotie didn’t respond. He instead forwarded the message to his IT department, which found this story on Brian Krebs’ security news site explaining the scam.

None of it would seem very real or menacing, but for the “real” password which the criminal sent in the extortion note. Cotie says he hadn’t used the jumble of letters and numbers for about three years, but the criminal had it. And that made the threat seem more serious.

“I wouldn’t say I was close to falling for it but it would have been the closest I have ever come and I was jarring more than anything,” Cotie told me. “I can see though how some people could fall into it if they actually do stuff on-line that would be embarrassing. These scammers are ruthless and very clever.”

Billions of passwords have been stolen in recent years. In fact, 3 billion were taken in just a single hack at I spent three months investigating the Yahoo hack in my podcast, Breach. Attacks like these are why. These hacks can have consequences for years. Those passwords are floating their way around cyberspace now, as criminals try their best to wring cash out of the pilfered data.

In one sense, Cotie should probably feel relieved. As “hacking” crimes go, this is a fairly harmless use of an old, stolen password. It probably means whatever criminal initially stole that data has given up trying to use it to login at any of the usual places—appearance in this kind of Hail Mary extortion note suggests the stolen data is on its last legs of usefulness to criminals.

Still, being presented with a real (if old) password by a criminal could certainly be jarring enough for some victims that they might momentarily panic and concede to a demand.

“I was a bit shaken and felt angry and violated to an extent… I get a lot of phishing emails in that filter but the fact that had a password I used was very unsettling once I read it,” Cotie said. “I took comfort in that I knew it was not a password I had used in at least three years and there was nothing I had done that would embarrass me to the extent the scammer was saying. But it gave me pause for sure. I almost wrote an antagonistic reply but thought better of it. I can see though how some people could fall into it if they actually do stuff online that would be embarrassing. These scammers are ruthless and very clever.”

Red tape wrestling tips

Online extortions of all kinds are a serious and growing problem. To really avoid trouble, consumers should avoid going to the internet’s darkest places, and consider covering up or disabling webcams. When receiving menacing notes, don’t panic: Most of the time, they are just scams. And keep in mind that, like Social Security numbers, many of your passwords aren’t really a secret any more, thanks to all these hacks. So don’t be impressed by a criminal brandishing an old password.

This article appeared originally here on