The latest internet scam is simple but the scammers’ bitcoin wallets show it to be very lucrative.
Hackers steal passwords in bulk from websites such as Facebook, Adobe, and especially smaller online retailers or niche websites who can’t employ the dedicated IT security engineers. As you can see from the list of publicly admitted thefts here, bulk password theft is shockingly common. Chances are you have had many of your passwords stolen (which is why you should not use the same password for more that one service, but that’s another story).
The stolen passwords are sold on the dark net, where other scammers buy them. These scammers use simple scripts to create emails that prominently display the stolen password, plus a story about how they have also stolen your contacts list, and used your webcam to video you in compromising situations. They simply threaten to send this video to all your contacts unless you send payment (usually via bitcoin).
The good news is that it’s all a bluff and an empty threat. They do not have any video of you, nor your contacts list, nor any idea of what websites you have visited (other than the one where your stolen password came from). They are counting on a fraction of their victims being so rattled by the threat that they send payment, even though they haven’t proven they have anything, and even though paying an anonymous ransomer is literally hoping for honour from a proven thief.
The risk from this scam is low if you know to ignore the ransom threat, but the risk of having your password stolen may be high. If you have been re-using passwords, now is the time to fix that by changing all your passwords.