Have you ever received the email, or similar, above?
This is what I’d call a scam scam… let me explain.
Let’s pretend that I have a website where I sell widgets. To purchase these widgets you need to create a user account. When you create your user account you use your email address, myemailaddress@something.com, and a password. The password… ahh, here comes the rub. You obtained your pet Scruffy in 2010 and this is your password of choice… Scruffy2010. You use this password everywhere. So you use the password Scruffy2010 when creating your user account for sheldonsellswidgets.com.
One day the website sheldonsellswidgets.com gets hacked. The usernames and passwords were not stored properly (hashed) and are in a readable state by the bad guys. So they see that someone’s email address is myemailaddress@something.com and the password associated with this email address is Scruffy2010. Because the usernames and passwords were not stored properly the bad guys have a huge list of email addresses and passwords.
Now the bad guys start sending out an email to all the addresses in their list using the password associated with the list.
Some people who receive the email above will panic! Oh my! This is my password! What do I do? The real issue here is that the same password is being used everywhere by these people and thus it is really scary to them. Bad guys, in addition to trying to extort money from you via an email, could also try logging into different accounts (Amazon, Facebook, banking sites) with this same email address and password.
Some people will get the email and react differently because the password in their email will be the password for sheldonsellswidgets.com only. These people might go to sheldonsellswidgets.com and change their password and just be done with it.
As a side note everyone should get with the people who own/operate that website and question why the passwords were not hashed. We have a post coming out Saturday (September 26, 2020) giving a brief understandable explanation on hashing.
The scam scam is that the bad guys really don’t know anything about you… all they know is that there is a user account on sheldonsellswidgets.com that has an email address of myemailaddress@something.com and this account has the password of Scruffy2010.
One could tend to cause the same amount of anxiety by walking through a crowded room, randomly telling people “I know your PIN number is 7156”. Anyone with a PIN number of 7156 for any application is likely to get spooked.
The take away…
Start using different passwords for your accounts. It might be painful, security measures are more painful than no security, but it will stop someone who gets one of your passwords from really getting the keys to the kingdom.