Passwords – another reason not to re-use them

Yes, I know I’m always banging on about passwords

Username and password theftThe simple fact is that this issue causes more problems than any other for my IT support clients. Therefore, I can’t resist telling you about something that happened a few weeks ago that offers yet another reason why you really shouldn’t use passwords more than once.

I received a phone call from a client saying that she’d just had a nasty email from someone saying that they had managed to access her Mac and, to prove it, they told her the password to get into her Mac. The email said they had stolen contact information, personal files, etc. I won’t describe what they said they were going to do next, but the bottom line was that they wanted about £3000 not to go ahead and do it.

Luckily, my client is a level-headed person who knew that a lot of what they said couldn’t be true. However, she was still – quite rightly – concerned about the accessing of her computer and asked me what to do. Since I was completely tied up with another client at the time I couldn’t give it detailed thought at that moment, so I advised her to contact the police and her bank and that I’d get back to her later.

The police said that it was a scam (ie, there was no real threat – they were just trying to “con” money out of her as opposed to extorting it). However, the police didn’t tell her how it was done.

ScamWhen I got a chance to look at the email itself later on, it seemed to me that absolutely everything in the email – except one fact – could be explained by saying that this was just a scam (that they were bluffing, lying, and hadn’t managed to get into her computer at all). The one inconvenient fact that didn’t fit this explanation was that they knew the Administrator’s password for her Mac. If they knew that, then there was a possibility that they could have accessed her Mac. That was why I had advised her to contact the police and her bank.

And then it struck me that the email address they used wasn’t her normal one, so maybe that was a clue. Maybe the combination of that email address and password had been used by her in another context and that that combination had become known to the bad person.

So, I checked to see if she had been “pwned”. This is when data is stolen in a data breach. You can check to see if your email address has been involved in a data breach by visiting “Have I Been Pwned?“. Sure enough, her email address and LinkedIn password had been stolen many years before in that organisation’s huge loss of data. Wikipaedia says of that data breach:

The social networking website LinkedIn was hacked on June 5, 2012, and passwords for nearly 6.5 million user accounts were stolen by Russian cybercriminals. Owners of the hacked accounts were no longer able to access their accounts, and the website repeatedly encouraged its users to change their passwords after the incident.

PwnedMy client did seem to remember being told of that data breach and undoubtedly did as LinkedIn suggested and changed her password. I asked her if she knew what the old password was and she couldn’t remember. Crucially, though, she said that it COULD have been the same password that she is now using (or was using until a few weeks ago!) as the administrator’s password on her Mac. What is almost certain is that her email address, together with that password, are up for sale on the Dark Net.

So, we concluded that what had probably happened is that the putative blackmailer bought her email address and LinkedIn password (probably on the Dark Net) and then just emailed her, assuming that the password for her Linked In account was the same as the password for her Mac. And he was right, so the scam worked (up to a point – but he certainly didn’t get any money from her). He managed to mis-direct us into thinking that he’d gained access to her computer when, in fact, he hadn’t.

This scam can only work if people re-use passwords and if they don’t keep a record of what passwords they used, when, and for what. Had my client not re-used passwords, and had she kept such records, she would have been able to tell that the password he claimed was her Mac’s password, was, in fact, an old password stolen in a data breach and not related to her Mac at all. The whole thing would then have been immediately obvious as a scam.

I rest my case (for now).