Password stolen.... but whare?

[Shadow_Storm56]

So I get tons of spam and usually it is nothing but I looked in spam and recently had one that had my correct password along with whatever mistakes I typed in the field before the correct one. So I'm very confused, I don't use the same pass for everything and alot of my stuff is dual auth but I'm still worried. I think I even had an email in there sent from my own email but I need to double check if that's fake because the password they had was not my email one. One of the passwords it sent me was a very old Netflix one which I never used other places and had accidentally typed in not that long ago. 

[RoseLuck462]

How does a spam email have your password? I don’t understand what you mean by that.

 

Getting spam doesn’t mean they have your password anyway, just your email address.

[TempestCatto]

Either you downloaded and installed a keylogger, or you visited a fake look-a-like site that is designed to steal user info.

[Guest]

A lot of those spam email are generated from aggregated lists of stolen password and email dumps from the multitude of breaches over the years. I get tons of those from ancient accounts with irrelevant passwords that were discarded years ago.

 

It's super easy to send as someone else also. That's why a lot of spam filters have checks in place to see if a message is coming from a trusted source (if properly configured).

 

As for having you previously entered attempts, that sounds like a phishing scam you fell for, as said above.

[Faisal A]

@Shadow_Storm56 Scammers will often get data from leaked attacks such as Collection #1. They then threaten you saying things like they will tell everybody you watch p*** if you dont give them £1000. Best thing to do is change passwords and ignore the emails. Do not click on any links they send, links from unknown sources are often keyloggers or worse viruses

[Norwegiantweaker]

thats the first time ive heard about a spam email containing ur password... gotta be more carefull on the weebs man 

[Shadow_Storm56]

17 hours ago, RoseLuck462 said:

How does a spam email have your password? I don’t understand what you mean by that.

 

Getting spam doesn’t mean they have your password anyway, just your email address.

They said we have this password _______ and u need to send us money. It was my password

 

17 hours ago, Den-Fi said:

A lot of those spam email are generated from aggregated lists of stolen password and email dumps from the multitude of breaches over the years. I get tons of those from ancient accounts with irrelevant passwords that were discarded years ago.

 

It's super easy to send as someone else also. That's why a lot of spam filters have checks in place to see if a message is coming from a trusted source (if properly configured).

 

As for having you previously entered attempts, that sounds like a phishing scam you fell for, as said above.

The password in question is atleast...5 years old and yea I assumed it was probably a spoof and not actually from my email. 

 

16 hours ago, Norwegiantweaker said:

thats the first time ive heard about a spam email containing ur password... gotta be more carefull on the weebs man 

I'm very careful.

[TetraSky]

If it was an old password and you were still using it... Just change it. If not, don't bother caring about it, just a spoof email with a leak password.
 

If you're not already doing so, I suggest using a password manager, like Keepass(free and open source), to generate unique, long and complicated passwords for each websites and services you use. That way if one of them leaks, you're 100% unaffected elsewhere.

[RoseLuck462]

23 minutes ago, Shadow_Storm56 said:

They said we have this password _______ and u need to send us money. It was my password

 

Oh, well you better pay up then.

[Glorious]

It's a scam. Your password ended up on a breach and they want to get bitcoin from you. 

 

You can check out https://haveibeenpwned.com/ to see what breaches you're in. 

 

If you're not using a password manager it's time to start. Check out Bitwarden, 1Password, or KeePassXC if you want a local one. You need to give every account a unique password. Also, don't forget your master password to your password manager as most password managers don't have a reset option. 

[Shadow_Storm56]

15 hours ago, Glorious said:

It's a scam. Your password ended up on a breach and they want to get bitcoin from you. 

 

You can check out https://haveibeenpwned.com/ to see what breaches you're in. 

 

If you're not using a password manager it's time to start. Check out Bitwarden, 1Password, or KeePassXC if you want a local one. You need to give every account a unique password. Also, don't forget your master password to your password manager as most password managers don't have a reset option. 

See I forget things.... but most of my passwords are weird and unique. 

 

15 hours ago, RoseLuck462 said:

Oh, well you better pay up then.

Haha no

 

15 hours ago, Glorious said:

It's a scam. Your password ended up on a breach and they want to get bitcoin from you. 

 

You can check out https://haveibeenpwned.com/ to see what breaches you're in. 

 

If you're not using a password manager it's time to start. Check out Bitwarden, 1Password, or KeePassXC if you want a local one. You need to give every account a unique password. Also, don't forget your master password to your password manager as most password managers don't have a reset option. 

See I use dual auth for most and I have like 20 different passwords. I don't like the idea of a password manager, if I forget it's password I'm screwed. Plus it puts it in one spot, also that link said I'm super pwned on that email. 

Edit: I wish all sites had  dual auth

 

17 hours ago, TempestCatto said:

Either you downloaded and installed a keylogger, or you visited a fake look-a-like site that is designed to steal user info.

It would not be keylogged, I have high end protection and scans found nothing, plus I'm careful with what I install. I get so many span emails it is possible a look a like slipped through....or a masked one.

[TheKDub]

5 hours ago, Shadow_Storm56 said:

So I get tons of spam and usually it is nothing but I looked in spam and recently had one that had my correct password along with whatever mistakes I typed in the field before the correct one. So I'm very confused, I don't use the same pass for everything and alot of my stuff is dual auth but I'm still worried. I think I even had an email in there sent from my own email but I need to double check if that's fake because the password they had was not my email one. One of the passwords it sent me was a very old Netflix one which I never used other places and had accidentally typed in not that long ago. 

where* (in the title)

 

Check on here: https://haveibeenpwned.com/ (They also have a password check tool. It's safe to use, they just check what you enter against millions of accounts that have been leaked to see if there are matches.)

I'd change the passwords on any accounts using the password in question, make sure that 2 factor authentication is on wherever you can turn it on (especially on your email address), and force logout of everything you can. (Some websites will let you see where you're logged in and let you log out of certain places or everyone at once. Some websites also automatically log you out of everywhere after changing your password. I wouldn't be surprised if some don't do this though.)

 

2 hours ago, Shadow_Storm56 said:

It would not be keylogged, I have high end protection and scans found nothing, plus I'm careful with what I install. I get so many span emails it is possible a look a like slipped through....or a masked one.

How can you be so sure? What if it slipped through the protection?

 

What specifically is the "high end protection" that you have?

[Shadow_Storm56]

1 hour ago, TheKDub said:

where* (in the title)

 

Check on here: https://haveibeenpwned.com/ (They also have a password check tool. It's safe to use, they just check what you enter against millions of accounts that have been leaked to see if there are matches.)

I'd change the passwords on any accounts using the password in question, make sure that 2 factor authentication is on wherever you can turn it on (especially on your email address), and force logout of everything you can. (Some websites will let you see where you're logged in and let you log out of certain places or everyone at once. Some websites also automatically log you out of everywhere after changing your password. I wouldn't be surprised if some don't do this though.)

 

How can you be so sure? What if it slipped through the protection?

 

What specifically is the "high end protection" that you have?

Bitdefender and malware bytes. Theres probably better now but that was the best ones a few years ago. 

[LogicalDrm]

Like said, its scam. Happened to me too. With same username that I use here and one of my older passwords. So I tried to send email back telling what kind of miserable d-bag they are. But as you might have guessed, it was burner email. I would have been interested to see what they got on me. And to whom they were planning to send that data. Considering that I use this username and that password only to sites I'm not so interested about.

 

Anyway. I've used LastPass for years. So all sites I register and login are saved there. Looking at what sites have been hacked with my username/email in past, I purged whole password database. Removing account I didn't need anymore, changing passwords to combinations which had been compromised.

 

I use 5 usernames/emails and maybe 7-10 passwords. Some of them are bad, but those aren't in relation to any meaningful sites. And most important sites also have either 2FA or national hard protection (social security + bank ID).

[Glorious]

15 hours ago, Shadow_Storm56 said:

I don't like the idea of a password manager, if I forget it's password I'm screwed. Plus it puts it in one spot, also that link said I'm super pwned on that email. 

Write down your master password to your password manager. Keep that in a safe or in a safety deposit box. 

 

You could also create 4 random questions about your life and use the answers as your master password. This way you can write down the questions without the answers and keep it somewhere hidden, so if someone does find the paper they still don't know the answers. 

 

Another option is to create a fake URL and hide it among other URL's that you print out. Kind of like hiding it in plain sight. No one expects a list of URLs to be one of your master passwords. You could also take a document you've written like an old school paper and pick a random sentence from it to be your master password. It's another way to hide your master password in plain sight without forgetting it. 

 

As for the issue you have with keeping your passwords in one spot you could also do the 2 password managers option. You have one password manager for the super important passwords like banking or email. Then another password manager for the regular boring stuff. This way you disperse your attack surface but honestly this can be over done. One thing I like to do is have a password manager like KeePassXC to hold all my passwords and allow Chrome to store the less important ones for easier logins. If I need a new password I use KeePassXC to generate and store it and then let Chrome store it if it's not that important. This way I can keep the password manager closed when I don't need it as a password manager is only secure when its locked. My important passwords are safe and I get to keep easy access to my everyday passwords. 

 

I know you may think you only have 20 passwords, I thought the same thing until I got a password manager and realized I had over 100 passwords. It's so easy to forget all the passwords we created in the past until one of those accounts get hacked. 

 

While 2FA is great and secure, having a strong and unique password is more important. Just having 2FA and not a strong or unique password is making 2FA less secure and destroying its purpose. This article better describes this. 

[Shadow_Storm56]

I thank you all for the great advice, good community at the LTT forum 

[Acedia]

Those spam emails are pretty common in the recent weeks. "we have your password ......, we hacked your camera and have footage of you <YouKnowWhat>. Give us BTC".

Change your passwords. Use a password manager. USE DIFFERENT PASSWORDS!

[Shadow_Storm56]

59 minutes ago, Acedia said:

Those spam emails are pretty common in the recent weeks. "we have your password ......, we hacked your camera and have footage of you <YouKnowWhat>. Give us BTC".

Change your passwords. Use a password manager. USE DIFFERENT PASSWORDS!

Yea as said before it's a password used in my low importance accounts and it's old.. it is now retired, I have no camera so I wasn't worried about that.