A blackmail spam message is making the rounds. It often begins with something like "Let's cut to the chase. I am aware [the password here] is your password. More to the point, I know your secret..." The spammer goes on to say that he knows you visited sites that might be embarrassing, has all of your contacts and will tell them about your browsing habits if you don't pay him off.
This is important! if you are still using that password for email or on any other sites, change it immediately, preferably to different passwords for each site.
Yeah, right. It's clever but it's all lies. Only your email address, password, and the bitcoin account are real. And hopefully, the password was changed long ago.
It's spam, pure and simple, and should be reported as junk mail and deleted. Don't even think about paying the spammer. He's counting on a bad habit many users employ to make you think he knows what you've been up to: reusing a password on many sites.
He (or his cohorts) did not hack your computer, install a keylogger, or do anything he says they did. They got your address and the password from an old database hack and are hoping at least a few people will fall for their scam.
To see which breaches your address was compromised in, check https://haveibeenpwned.com/
I've received 3 so far this week, from different addresses (all outlook.com - seriously Microsoft, you can't filter this spam?), asking for differing amounts of bitcoin to keep quiet. The password they have is an old password, one I haven't used in years as its lower case alpha. I don't recall if I ever used it as my email password. If I did, it was a long time ago, before I moved to Office 365 in 2013 because it doesn't meet Office 365 requirements for password complexity.
If you reuse passwords on many accounts, it's impossible to know which database hack it came from, but the spammers don't care that it's from an old database hack, they got the email address and password you used on the hacked site and hope they can fool you. This is much easier if you used the same password for email. If they can convince you that have this information, you'll believe them, panic and pay up. Yes, they are playing you for a sucker. Don't fall for it.
If you want to contact the appropriate authority in your country:
- United States residents: FBI IC3 Complaints.
- UK residents: Action Fraud
- In the EU, check https://www.europol.europa.eu/report-a-crime/report-cybercrime-online for country contacts