Hack - iPhone camera and websites

Hello Andy,

I received the same email ( one hour ago ) with the four digits of my phone and my email.

Probably they hacked a website containing our email and mobile phone but PROBABLY they have not hacked our mobile phones.

This email is spam . You have not to pay anything.

I never been on XXX websites with my mobile phone; they try with all phone numbers they caught hoping that someone will believe and pay .

Don't worry .

Regards

Hi I have just received the same email - the domain is registered to a school in Pittsburgh - I have reported it to the Domain abuse centre which is registered with Go Daddy and also sent a message to the Schools IT Helpdesk advising them of the email that has sent this attempt at Blackmail - so I suspect it's one of their students practicing their IT skills. I have asked them to take action and advise me. Hopefully that will make his or her card.

I got this too. It's pretty bad. In fact I got FOUR emails, one like this and 3 others like this:

Hello!

I'm a member of an international hacker group.

As you could probably have guessed, your account XXX@XXX.XXX (removed email for this forum) was hacked, I sent message you from it.

Now I have access to you accounts! You still do not believe it?

So, this is your password: ****** (removed password for this forum) , right?

Within a period from July 5, 2018 to September 21, 2018, you were infected by the virus we've created, through an adult website you've visited.

So far, we have access to your messages, social media accounts, and messengers.

Moreover, we've gotten full damps of these data.

We are aware of your little and big secrets...yeah, you do have them. We saw and recorded your doings on **** websites. Your tastes are so weird, you know..

But the key thing is that sometimes we recorded you with your webcam, syncing the recordings with what you watched!

I think you are not interested show this video to your friends, relatives, and your intimate one...

Transfer $700 to our Bitcoin wallet: 1DzM9y4fRgWqpZZCsvf5Rx4HupbE5Q5r4y

I guarantee that after that, we'll erase all your "data" 😀

A timer will start once you read this message. You have 48 hours to pay the above-mentioned amount.

Your data will be erased once the money are transferred.

If they are not, all your messages and videos recorded will be automatically sent to all your contacts found on your devices at the moment of infection.

You should always think about your security. We hope this case will teach you to keep secrets.

Take care of yourself.

The problem is, they actually got my email AND passwords correct! These are passwords I stopped using (I think? It's hard to tell when you've used hundreds of websites) but still... it's a major problem.

Obviously, SOMEONE has done a major hack, of some websites, or at least collected a lot of info and is making good use of them. This is a major operation and SOMETHING SHOULD BE DONE ABOUT THIS.

There is one clue... the time-frame from the email: "July 5, 2018 to September 21 2018".

Whoever is done this, has done this hack in that time-frame, or at least been processing previously collected data during that time-frame.

I am really... really really really really... REALLY glad I switched over to using a unique-password system... for all my major accounts. But it's just sad that ANY websites are storing (or ever HAVE STORED) passwords in plain-text or even encrypted-form.

ALL passwords should ALWAYS BE STORED IN HASHED FORM... IN EVERY WEBSITE/COMPANY/ETC.

IT SHOULD BE ILLEGAL TO STORE A PASSWORD IN PLAINTEXT OR ENCRYPTED FORM!!!! Why do they need it? When a hash is good enough???

It's just asking to be hacked. It's lazy and absolutely irresponsible, saves the the developers 30 minutes of effort (maybe 2 hours effort including debugging), but wastes billions of pounds of money across the world.

It's absolutely criminal and SHOULD BE STOPPED. There seriously needs to be a law OUTLAWING STORING OF PASSWORDS IN ANY FORM THAT THE COMPANY OR HACKERS OF THE COMPANY CAN GAIN ACCESS TO.

I received the same message this morning. Don't ever click on a URL in an email unless you're certain of the origin.

Don't sweat that they have your email and phone number. That stuff is readily available and is the very tip of the iceberg for hackers--only useful for doing stuff like this. (Ironically, the phone number they listed in the email that came to me is for my landline, so I know immediately this had nothing to do with my iPhone.)

As others said, these guys are looking for those who are freaked out and will respond to avoid embarassment. Think about it, if they get even a dozen people to give them money, that's a pretty sweet haul for what probably wasn't much work at all.

You're safe.

It's a scam. They have no such recordings. There have been multiple topics on these forums regarding this same stupid email.

This is one of the results of the many hacked servers you've seen in the news where they've stolen millions of customer data records. They're using the data to send out these bogus emails to the addresses harvested in the hacks. It's also where they got your phone number from to make the claims more believable.

It's still just scam. They have nothing, but are hoping you'll give them lots of money for nothing.

DO NOT respond to these emails in any way. Just delete them.

"It's a scam. They have no such recordings". I know that. That's not the point.

The point is... they emailed me (in plaintext)... THREE OLD PASSWORDS OF MINE. That I KNOW TO BE MINE BECAUSE I USED THEM.

THAT IS REALLY BAD.

What would your reaction be if YOU got an email with a correct password (even if an old one) of yours.

It's an old password, but considering I've used hundreds of websites over the years... I can't be sure it's not in use anymore.

Whose to say they haven't ALREADY logged in (to god knows what account of mine) and found MORE information? Maybe even set a backup email for themself.

THAT IS REALLY BAD.

And how is three old, defunct email addresses bad? They're of no use to anyone.

What would your reaction be if YOU got an email with a correct password (even if an old one) of yours.

The same thing you should be doing. Ignore it.

Oh, I just received the same email and I'm living in South Korea.

And I don't ever remember that I approached to a **** site using my phone unless I'm a sleepwalker who's unconsciousness is full of that, (well, happy that I'm not.)

So that was the point I first doubted about the email..

Furthermore, I actually don't give a **** to it and am not quite afraid if everyone in my contact gets to know my private life with photos or video of myself. I got only 40 contacts in my phone anyways. Also, everybody's got dark sides which they try to hide so people will understand and eventually forget about me.

BUT! I'm happy to know clearly that this email is just a scam,

Thanks everyone for sharing ideas.

Hi All,

A couple of quick links for you:

Does Crime Pay? - See https://bitref.com/1EkAVVDg8Rbwwa7j9DbvHQ7VmQ4FkBdEGT

- the above references the specifc Bitcoin address shown here. We had a look out of interest and the answer (so far) is No, it does not (this balance is about USD3) ..

Where are your details online - have a look at your email address at: https://haveibeenpwned.com/ - this will show if your account was part of a number of high profile breaches where userIDs / Passwords were made public - if you come up then a good idea to change your passwords on other sites if you think there were the same might be used elsewhere..

And for best defence for your email etc.: https://www.turnon2fa.com/ - many services allow 2 Factor Authentication and often for free as a second factor beyond just a password to protect your account.

Regards

OHD

PS - Bitcoin is also very traceable so that police etc. have traced and found people when they withdraw money in the real world or for real world product / services they then get caught. Attempted brackmail carries a 10-20 year prison sentence.. and this is the case if someone does or does not have any embarrasing material on you is completely irrelevant to the crime. Most of the time mails like this one are just pranks but they are also ones that have put teenagers behind bars as they are not particularly funny in the cold light of day.

I also got the same boring email and first thought wow someone really tries hard to get money 😂😂😂😂 I really wanted to write an email back with a fake email address and tell him I can only transfer u 2000 bit coin but only if we meet up personally at Starbucks for a cup of coffee.

Anyway don’t believe in such kind of emails and don’t pay any cent!! There is just one thing u can do Delete the emai!

Hello, I also got this, and I can tell you this is fake, I changed my main phone number a long ago. And I use my second phone without internet connection. There is no way they can do this. What was possible happened that there was a LinkedIn leak before and they have your data from it.

I don't live in USA and also received this email.

1. I don't intend to delete this mail. it's a souvenir that i'll send to my friends to enjoy.

2. I sent this email to a site in my country that publish chain emails and others irrelevant emails, in order to publish it.

3. I addressed this email to my country police cyber team in order to find the responsible and contact the US police.

Hope this will help any one that is upset, to sleep well...

Hi,

Before you register to a website, please make sure that the website is secured; ie. Https instead of http. If they are using http, use a password that is not used in other website login.

Anyone can create a form, make it looks like a password field (but it actually not), and store it in the database as is, not encrypted. And if the database itself not encrypted, well..

Hope it helps.

A.

Sorry, but that doesn't help. The site for a bank or whatever itself can be secure, but that has nothing to do with how the transferred data is stored.

HTTPs only ensures that the site and your browser have negotiated an encryption key that only they know. No one who snags data packets in between can do anything with it since they don't have the decryption key.

But, once the bank (insurance company, etc.) has your data, they can choose to add it to an encrypted, or unencrypted database.

No one here is listening. As I said at the start... HACKERS HAVE STOLEN SO MANY DATABASES AND THEN DECRYPT PASSWORDS... Or even the passwords are stored in plain-text. Once they have that, they have a password you are using on many sites.

And as I said, already... at the start... that no one even listened to...

NONE OF THAT IS EVEN NECESSARY.

Just store a HASH OF THE PASSWORD. A salted-hash using a salt unique to your company.

Don't tell me "use a unique password per site". No one does that... unless they log in to only 2 websites. Anyone who uses the internet a lot... who has used hundreds of websites, will be reusing passwords. That or using some "password solution" to generate unique-passwords per-site... and remember it for them... but that's not built in or standardised... most people are only able to just reuse a few passwords.

Anyone saying anything different is either a hypocrit or has only ever logged into two websites. One being this one apple.com... so they probably only log into one other website in their entire life time.