Carnegie Mellon University
July 16, 2018

Extortion campaign leverages passwords stolen from third-parties

Multiple members of our community have recently reported receiving e-mails that are known to be part of a large-scale extortion campaign. Messages from this campaign are identified by the following distinct features:

  • The message opens by disclosing a password to the recipient that is believed to be related to the targeted account holder, e.g: "I’m aware that <password> is your password."
  • The message will then claim that the attacker has compromising video of the message recipient, and goes on to threaten to release this video publicly unless a cryptocurrency payment is made to the extortioner, generally within 24 hours.

The citation of a password in the message opening is intended to establish the extortioner's credibility with the message recipient, and to motivate the recipient to comply with the extortion request.  The cited password may be an old, valid password that was disclosed as the result of a prior compromise of an unrelated account or service, such as LinkedIn, Yahoo, Tumblr, MySpace and others.  It is believed that the attackers are leveraging older compromised credential lists to more narrowly target recipients of this campaign.

If you have received one of these e-mails:

  1. Do not panic.  These individuals likely do not have any compromising video of you.
  2. If the password included in the e-mail is a password that you recognize, change the password for any account where this password was used.  New, unique passwords should be used for separate accounts to prevent the potential for an attacker to compromise multiple accounts with a single reused password.
  3. Please report the original message, including full headers, to so that our incident response team can analyze and block these messages.

Additional information concerning this extortion campaign may be found at the following external resources: