|
FastMail Forum All posts relating to FastMail.FM should go here: suggestions, comments, requests for help, complaints, technical issues etc. |
|
Thread Tools |
1 Nov 2018, 01:52 PM | #1 |
Cornerstone of the Community
Join Date: Dec 2007
Location: San Antonio, Texas USA
Posts: 557
|
Long hostage email
"XXXX@fastmail.us has password i4l1o8h. Password must be changed"
That's the subject of an email I have received twice now. No, I did not open it. The "author" requests over $800 to unhack me. He tells me he's hacked my account and has explored all of my searches. Tries to make it sound personal. I won't reply, of course. But what I want to know is how he got my email address? |
1 Nov 2018, 04:32 PM | #2 |
The "e" in e-mail
Join Date: May 2003
Location: mostly in Thailand
Posts: 3,095
|
There are various ways your email address might be guessed. For instance, especially if your username is short, this may be a "dictionary attack" where the scammer just tries likely possibilities in the hope that some resolve to real email addresses.
You might want to forward this email (as attachment) to abuse@fastmail.com to make them aware that this phishing attack is in progress. |
1 Nov 2018, 04:56 PM | #3 |
Essential Contributor
Join Date: Dec 2017
Location: Scotland
Posts: 492
|
I've seen a report of this sort of spam recently, where people are sent emails claiming that their password is some particular value. It's possible that you did use that password some years ago even if you don't now. And the email address itself, is after all known to all the people and companies you've used it to send emails to. Lots of companies either have employees who sell email addresses to spammers, or have data leaks where hackers manage to steal addresses etc
. |
1 Nov 2018, 05:39 PM | #4 |
Cornerstone of the Community
Join Date: Dec 2007
Location: San Antonio, Texas USA
Posts: 557
|
I am pretty much a shut in, so I conduct a lot of business online out of necessity. I guess one of my vendors uses sloppy encryption, but how will I know which one it is? I don’t like the idea of someone who wants a lot of money from me playing around in my accounts. I have three different addresses, and the one that got hacked is from my commercial account. Is it a password problem?
I will forward this to the FM abuse trackers. I still have the email. It is creepy, Thank you both for your replies. |
1 Nov 2018, 06:53 PM | #5 |
Cornerstone of the Community
Join Date: Jun 2004
Location: Rupert, WV
Posts: 882
|
This may be somewhat related.
Code:
Reasonably Clever Extortion E-mail Based on Password Theft - Bruce |
1 Nov 2018, 06:55 PM | #6 |
Essential Contributor
Join Date: Apr 2007
Location: Canada
Posts: 227
|
I've received them too
About once a day for the past two weeks I get a similar email for an address I used a few years ago. My opinion someone got the password file from a web site and sold it to someone else. They are running a script which sends out the emails. They ask for varying amounts, from US$800 to US$3000. The email claims I used it on an porn site and they have pictures of me watching porn. (One of the ways I know this is false.) I have 48 to 50 hours from when I read the email to respond or they will destroy my files and send all my contacts pictures of me.
Lots of reports of people getting these. Even a few reports of payments being made to the bitcoin accounts. Annoying, but harmless if you didn't use that password anyplace else. If you did, then you need to change it. Perhaps you used the same password on multiple systems. In which case you are taking something very valuable, e.g. the password to your bank, and giving it to a lot of people. And you are trusting them and their security. |
1 Nov 2018, 09:22 PM | #7 | |
Cornerstone of the Community
Join Date: Apr 2001
Location: Darlington, UK
Posts: 938
|
Quote:
Last edited by Adrian Bell : 1 Nov 2018 at 09:31 PM. |
|
1 Nov 2018, 09:32 PM | #8 |
Cornerstone of the Community
Join Date: Jun 2004
Location: Rupert, WV
Posts: 882
|
I use a password manager and it generates a different password for every entry I create in it. The only password that I have to remember is the one for that manager. I can do a search in it on a password or partial password and it will bring up the entry for it, which also contains the URL for whatever site it's for.
- Bruce |
2 Nov 2018, 12:00 AM | #9 | |
Member
Join Date: Jul 2014
Posts: 77
|
I've received a few of these lately. It is always the same password, and one I did in fact use.
Quote:
Last edited by Folio : 2 Nov 2018 at 12:03 AM. Reason: Clarification |
|
2 Nov 2018, 12:24 AM | #10 |
Cornerstone of the Community
Join Date: Apr 2001
Location: Darlington, UK
Posts: 938
|
I've never used them so there must also have been more sites hacked.
|
2 Nov 2018, 05:48 AM | #11 |
Cornerstone of the Community
Join Date: Dec 2007
Location: San Antonio, Texas USA
Posts: 557
|
So I've been trying to figure out Lastpass, which is not getting a lot of love on the Internet. (It has apparently been breached?) Anyway, I try to download it, and no icon ever appears so that I can proceed. I have an iMac desktop (Sierra). I can't find much help on the Lastpass forum; they mostly just tell me to download it again, so I have downloaded the thing three times and still no icon.
|
2 Nov 2018, 07:31 AM | #12 |
Master of the @
Join Date: Feb 2017
Location: USA
Posts: 1,751
|
Just use the web version of LastPass by getting one of the browser extensions. Not sure what advantage the desktop app has over the browser extension. LastPass works well, though I find the interface rather clunky and I don't like the unreliable automatic login for websites. Bitwarden is my current favorite password manager. It also has a web extension and you can set it to ask if you want to login to a site, so it doesn't automatically go ahead and do it--which seems like a security vulnerability to me. I like the interface better. The Android app works well and can be unlocked with your fingerprint. The one problem with every password manager is they make it difficult to switch to another brand. Yes, you can download your data and reupload to the new manager, but there always seem to be fields that don't match up, etc. I have switched a few times and it is good to budget at least a few hours to get everything sorted out, and don't delete the old manager and files for at least a few weeks or months. If something doesn't migrate properly you may lose a login.
|
2 Nov 2018, 08:17 AM | #13 |
Cornerstone of the Community
Join Date: Dec 2007
Location: San Antonio, Texas USA
Posts: 557
|
What about just using Tor? Is it just for nefarious purposes?
|
2 Nov 2018, 02:44 PM | #14 |
The "e" in e-mail
Join Date: Jul 2002
Location: VK4
Posts: 3,029
|
|
2 Nov 2018, 02:56 PM | #15 |
Cornerstone of the Community
Join Date: Dec 2007
Location: San Antonio, Texas USA
Posts: 557
|
The password in that scam email was NOT my password. The only thing that was correct was my email address.
|