Suspicious & Threatening Emails: How to Stop It?

[sandy stone]

Within the past 24 hours, my wife has received 2 emails, one suspicious and one threatening, seemingly from her own email account. The threatening email explicitly quoted her email password, which is also the password for accessing our account at our ISP. This is under Windows 10, using the email app bundled with Win10. The emails also show up when accessing our ISP account directly. Malwarebytes and Windows Security both assure me our system is clean.
What is going on here, and more importantly, how can I stop it from happening again?

 

[pbuk]

There has been a data breach, either at your email provider (edit: although this is unlikely) or at some other service linked to your email account using the same password. Edit: this breach may have happened some time ago: for instance data breached from LinkedIn in 2016 is still 'doing the rounds'.

You can get some more clues by entering your email address at https://haveibeenpwned.com/.

You should obviously change that password wherever you are using it immediately. I use a password manager to set and manage secure passwords for all my accounts.

 

[sandy stone]

Thanks! I was not previously aware of that website.

 

[Borg]

What is going on here, and more importantly, how can I stop it from happening again?

Change your password?

 

[Vanadium 50]

Change your password?

You shouldn't have "a" password. That would be like having your car key the same as your house key. Someone gets one, they get both.

You want a password manager. That has a local password, like "correcthorsebatterystaple" (well, maybe not that one) and that is used to generate individual passwords for every site. Passwords like 8o$E0YbfM*xzthFOt*lj, 7Dq*4hs2U@LHaoCUmx96 or bG48@C*C*Qn5*98JIgIM. I won't say this is bullet-proof, but it is bullet-resistant.

 

[Borg]

Yes, passwords.

 

[sandy stone]

Thank you all, food for thought.

 

[MikeeMiracle]

I've had this before, the password was a generic one I use for multiple sites non important sites (i.e sites like forums which do not have any personal identification / financial details present.) I just assumed at some point one of the web sites had been hacked and they just used this password to try and scare me.

This is likely what has happened to you, the scammers try and scare you into making quick and rash decisions where in reality there is nothing major which has been compromised.

In terms of the e-mail appearing to come from yourself, this is a very simple to do with a few basic commands if you have access to an e-mail server configured as a relay. That "from" e-mail address is just plain text, it's just your e-mail server adding it in manually when you send an e-mail but you can configure it to say literally anything.

In this case setting it your your own e-mail address just serves to re-enforce the fear / belief that your account / computer has been hacked when that is not necessarily the case.

 

[anorlunda]

I've had this before, the password was a generic one I use for multiple sites non important sites (i.e sites like forums which do not have any personal identification / financial details present.)

As others said, this is very bad practice on your part. Stop doing that immediately for your own good.

Others also told you to get a password manager. I use one. It costs me $29/year. I let it choose very long and difficult passwords for my accounts. It synchronizes across all my devices. It even automates password changing on popular sites as often as once every 30 days.

When a data breach occurs, and the login credentials for many clients are stolen. As many as 300 million at a time. The stolen data becomes available for sale on the "dark web" It is easy to buy millions of user credentials on the dark web. But it may take many months for your stolen data to be sold or exploited. That is why frequent password changes give better protection than hard-to-guess passwords. If you change them every 30 days, the stolen version is not likely to be exploited by bad guys before the 30 day limit.

Several sites are also pushing us to use multi-factor authentication. For example, to get access you need the correct user name and password and use of a computer that you used before. So a criminal could not get access with your stolen password using the criminal's computer.

IMO multi-factor is difficult to use and very inconvenient. I prefer the password manager.

 

[MikeeMiracle]

As others said, this is very bad practice on your part. Stop doing that immediately for your own good.

I'm not the OP ;)

In either case, I do not repeat passwords on anything "important." If my PF account get hacked I have lost nothing, even if it did offer multi factor authentication (MFA) I would not use it as it's mildly annoying. I use separate randomly generated passwords on any sites which have any personal identifying information or financial details on it. MFA is a very useful tool against hacking and should be used for important sites, I just think it's unnecessary for generic sites with no personal loss if they are compromised.

Gone are the days when people hacked others for "fun" like they used to do in the good old days, these days they are organised criminal gangs looking to exploit you / your information for financial gain. If there is no gain then they won't bother with it so there is no need to go over the top with your protections for those sites in my opinion.

As annoying as MFA is, it's preferable to constantly changing login details. This I would find a pain, especially if you have logins for many different places you need to change them. Frequent password changes are also not required if your using unique passwords in every site as any stolen login details cannot be used elsewhere.

I do not trust any of the online password managers, they are all susceptible to being hacked, I believe Lastpass was hacked last year. Sure they are "convenient" but convenience and security do not go hand in hand from my experience.

The only online password / cloud backup services I would use are designed with a so called "Zero Knowledge" policy. This means that data is encrypted using your login details on YOUR computer and only encrypted data is copied to and from their online servers. To decrypt it it requires your login details and that decryption takes place on YOUR computer.

If your account got hacked all the hackers would see is encrypted data and without the login details they have no way of decrypting it. There is no "master key" which can unlock data in a "Zero Knowledge" system by design. This also means that if the company is approached by law enforcement to gain access to your data, they also are unable to decrypt your data. The only possible drawback to this design is that by definition only your login details can decrypt your data so if you lose your login details there is no way to recover the data and it's lost permanently.

 

[pbuk]

I do not trust any of the online password managers, they are all susceptible to being hacked

References?

I believe Lastpass was hacked last year.

I don't: reference?

The only online password / cloud backup services I would use are designed with a so called "Zero Knowledge" policy. This means that data is encrypted using your login details on YOUR computer and only encrypted data is copied to and from their online servers. To decrypt it it requires your login details and that decryption takes place on YOUR computer.

Oh, https://www.lastpass.com/how-lastpass-works you mean?

 

[symbolipoint]

The only online password / cloud backup services I would use are designed with a so called "Zero Knowledge" policy. This means that data is encrypted using your login details on YOUR computer and only encrypted data is copied to and from their online servers. To decrypt it it requires your login details and that decryption takes place on YOUR computer.

Does that mean, when you visit any log-into sites, you must let the browser KEEP the cookies after closing the browser? So clearing the cookies after each browser session, or using 'private' or 'incognito' mode will ensure you cannot log-in to your online accounts later?

 

[DaveC426913]

In either case, I do not repeat passwords on anything "important." If my PF account get hacked I have lost nothing,

It's not about what you've lost; it's about what they've gained.

A common practice in identity theft is to use hacked low security data to help hack higher security data.

They work their way up the ladder. Like starting with a worthless Costco card and ending up with a valuable forged passport.

 

[MikeeMiracle]

Does that mean, when you visit any log-into sites, you must let the browser KEEP the cookies after closing the browser? So clearing the cookies after each browser session, or using 'private' or 'incognito' mode will ensure you cannot log-in to your online accounts later?

Why would I not be able to login to these site afterwards? What happens the first time you visit a site? It copies a cookie onto your computer just like any time one is required and not found. Sure it means you have to login to a website each time you visit it but so what, it's a minor inconvenience and prevents tracking cookies from getting anything meaningful.

I either:

1) Open a browser in a sandbox which auto deletes everything when the browser closes including cookies and data obtained during that session.
2) Browse using Firefox which has a bunch of extensions which refuse cookies by default, you can choose to allow them per session but they get deleted afterwards. With this setup the plug ins also block all javascript / cross site scripting connections etc, again you can allow it on a per sessions basis but nothing is kept after the browser closes.
3) Browse using a virtual machine with a non-persistent disk, as soon as you power off the VM any changes / downloads that have occurred since you powered it on are wiped out.

Option 3 is the safest method and I know form previous threads on this forum that I am not alone in doing so.

 

[MikeeMiracle]

It's not about what you've lost; it's about what they've gained.

A common practice in identity theft is to use hacked low security data to help hack higher security data.

They work their way up the ladder. Like starting with a worthless Costco card and ending up with a valuable forged passport.

And what have they gained? An e-mail and a password for web sites where I have no personally identifiable info not even my name.

I have 2 separate e-mail address. My main personal e-mail address using my own domain on a e-mail server I run myself. Any sites with any personally identifiable info I have unique login details for, use my main e-mail address, long passwords and if possible multi factor authentication. The second e-mail address is with a cloud provider and is used whenever I login to sites with no personally identifiable info.

By definition sites with personal identifying info are generally quite hot on security, more so than sites without any personal data.

As you can see I'm not just using 1 browser install with 1 e-mail address and have everything linked to it. Doing so means you need to take all the extra security considerations at all times. This is what the majority of the public does and the extra precautions are required. If you can split things up and separate out the "important" and "non-important" stuff you do online then you know when to be cautious and when you can be more relaxed.

I have always been focused on security since long before it was even a thing the public were aware of. I have put a lot of thought into it and how to keep things secure via separation. I even have a dedicated VM just for entering financial information into which gets "wiped / reset" after each use.