Receiving a spam email that contains your password
The internet has been incredibly beneficial in spreading educational information, positive experiences and digital services to all four corners of the globe. Despite this, the internet is also used for malicious attacks. These attacks come in many forms, including viruses, worms, and phishing. They trick unsuspecting victims into giving away sensitive details or paying ransom payments to recover their files. As you can imagine, payment here rarely results in your files coming back, leaving you out of pocket and out of action.
The most common form of malicious attack is phishing. This is where attackers masquerade as a business or manipulate you with information to force a response. One increasingly common tactic is the use of spam emails containing your password. This can be incredibly alarming, especially if the password is currently being used.
Don’t panic – keep reading to understand how these attackers got your password, and how you can reinforce your cybersecurity practices to avoid becoming a victim.
Examples of spam emails
Here is the start of one spam email in our inbox:
Hello <username>
You have multiple (5) calls to your account for the balance of your BitCoin account. You did not answer that. This is an automatic bulletin for the balance in your BitCoin account.
Balance: $ 14.000,00
Account deleted: 15 - 07 - 2020
This email was sent to inform us that we apparently have $14,000 worth of Bitcoin in a Bitcoin wallet. The Account deleted is designed to make you panic, while elsewhere in the email it states Click accept now to recover funds. Some people may fall for this, where the link then asks for personal details and credit card information.
WARNING – None of this information is real, and is automatically generated to give the illusion of something existing when it doesn’t exist in reality. The email is Op35UnO@spam.com, which should be a huge red flag! Only trust emails from known domain names, and never click links on an email you are not expecting to arrive.
Emails containing your password
The first example is incredibly common but doesn’t hold any vital information that puts your security at risk. It just had our email, and used the start highlighted in asterisks (<*****>@mailprovider.com) as our username.
What should be concerning is when you discover an email containing your password. This means that, in the past, your account details were leaked in a data breach.
Attackers gain this information in a fairly simplistic manner. They likely visited a marketplace on the dark net that sells personal information, bought it, and automatically emailed thousands of people at once.
WARNING – Do NOT use the same password for everything. While easy to remember, it is also easier for attackers to access multiple services that you use. If your bank and email accounts both use the same password, that means even with two-factor authentication (2FA), attackers can log in. Check this now, and change your password if so, as the security risks are paramount.
As long as you regularly rotate your passwords, seeing an old password should not be concerning. You can check whether your email address or password has been exposed using the haveibeenpwned.com website. This service collects and analyses database information from hundreds of database dumps, located both on the regular internet (clearnet) and the dark net. By inputting your email address, haveibeenpwned checks its reference database for any corresponding entries listing your email.
Using our email, we discovered four data breaches where we were pwned:
MyHeritage
River City Media Spam List
Special K Data Feed Spam List
Trillian
Two of these entries relate to email spam lists. There is little you can do to wipe your data here, and the data has likely been sold on to the highest bidder. These bidders were probably another spam list sender.
The other two are well-known service providers. As the first port of call, you should attempt to login to the accounts associated with your email address. Do not reset the password. Instead, try to log in with one of your previous passwords.
If you can successfully log in with a previous password, you have identified a compromised security string that should never be used again for any accounts. For example, if your password was nohack123, you should NEVER use this password when registering for any new web services. This applies even when using an alternative email address.
The reason here is that the password will be saved in a brute force dictionary. This dictionary contains everyday words and phrases that are used in passwords. It is likely that nohack123 will be listed and used here, as it was previously found in a data breach. Since your email address can be easily made public, you may be at risk if one brute force tool happens to use your new email and old password together.
Cybersecurity advice
The risks with a new email and old password are small. Still, no risk is better than a low risk, so you should take proactive measures to bolster your cybersecurity by using a password generator.
Password managers commonly include a random password generator. This creates a long string of numbers, letters, and symbols. By using this as your password, you virtually eliminate the risk of your password being cracked.
As an example, Lastpass offers a Password Generator Tool on their website. You can specify a password length, make it speakable or readable, and specify what characters to use (upper case, lower case, numbers, symbols).
We generated a secure password, which you can see below:
M1jVtKft@ZRV&UI!a3wG
As you can see, this contains no dictionary words, making it difficult for brute force tools to crack. By going to howsecureismypassword.net, we can find out how long it would take to brute force this password:
42 QUINTILLION YEARS
That’s a lot of time and much longer than our lifespan – more than secure enough to see us through! Remember, use a new password for each service, and don’t reuse passwords (however tempting it may be). Try and set a new password every three months. That way, a data breach will be of minimal concern.
Securely hosted services with Fasthosts
Online cybersecurity is of paramount concern, and the importance of good cybersecurity practices will only grow as more people get online. Fasthosts data centres in the UK are ISO27001-certified, meeting the absolute best security standards for the industry. Alongside this, we also hold an ISO 50001 certification for energy management due to our use of 100% renewable energy sources at our data centres.
Get started on a secure and eco-friendly hosting platform! Contact our sales team on 0808 1686 777, or via email at sales@fasthosts.co.uk to get started.