Sextortion scam uses old passwords to extort money from victims

Cybercriminals are taking old passwords bought and sold online from previous breaches and using them against unsuspecting victims in the latest sextortion scam making the rounds.

“They are taking old password databases that may have been leaked six, seven, or ten years ago,” said Sophos security expert Chester Wisniewski.

Coverage of cybersecurity on Globalnews.ca:

7:12 Cybersecurity and privacy are no longer mutually exclusive: Jones

• Cybersecurity and privacy are no longer mutually exclusive: Jones
• U.S., Russia cybersecurity collaboration criticized
• Cybersecurity expert discusses global reach of latest ransomware attack
• CyberSmart Summit: Making cybersecurity a priority
• Cybersecurity expert credits British man with saving U.S. from ‘WannaCry’ cyberattack

Previous Video

Next Video

RCMP describe “sextortion” as incidents involving the threat of releasing shared intimate videos, images, or explicit messages online.

Burnaby RCMP have investigated 24 incidents of sextortion since May.

Police say some of those cases have resulted in victims transferring money to the suspect.

READ MORE: Burnaby RCMP issue ‘sextortion’ warning to public

Wisniewski said it’s unlikely that criminals have compromising images of their target victims.

“Unless you happen to store some compromising pictures somewhere where you do use that password, even in that case, the criminals wouldn’t know. They’re just bluffing,” said Wisniewski.

Still, it’s important to protect yourself. A 2018 IBM sponsored data breach study reported 48 percent of all breaches are caused by malicious or criminal attacks.

“When you hear about your password being stolen in a breach on the news, if you use that password on more than one website, as soon as the criminals have it, they try to log on to Facebook with it and they try and log on to Instagram with it and then they try and log onto any banking website,” said Wisniewski.

Tweet This Click to share quote on Twitter: "When you hear about your password being stolen in a breach on the news, if you use that password on more than one website, as soon as the criminals have it, they try to log on to Facebook with it and they try and log on to Instagram with it and then they try and log onto any banking website," said Wisniewski.

That’s why it’s imperative passwords are different for all accounts, changed often, and unique.

Wisniewski recommends a password manager tool that can safely store and manage complex passwords in an encrypted database.

“That’s the key, not to use the same password everywhere and to try and make it complicated which means we don’t want to memorize it so it’s better to use a program and let it do it,” said Wisniewski.

READ MORE: Dutch man arrested for ‘sextortion’ of Lethbridge boy — ALERT

While practicing safe password use is important, Wisniewski warns the best way to protect ourselves is to trust no one.

“If you are doing business with your bank, you have to call your bank,” he said.

“If you are doing business with the Canada Revenue Agency, you need to call the CRA. If anyone contacts you through any mechanism, whether that’s online, on the telephone, or even knocking on your door, those people cannot be trusted to be authorities.”