Xjyuk

Why did modems have speakers?

Is it possible to be an intellectual/do research without the internet?

Span command across LaTeX environments

Why does the salt in the oceans not sink to the bottom?

Where is this photo of a group of hikers taken? Is it really in the Ural?

What was the rationale behind 36 bit computer architectures?

What happens when two cards both modify what I'm allowed to do?

Raw curve25519 public key points

Using "Kollege" as "university friend"?

What is the spanish equivalent of "the boys are sitting"?

Travelling from Venice to Budapest, making a stop in Croatia

Using paddles to support a bug net

When were "acrobatics" introduced at weddings?

Is there a way to shorten this while condition?

How to write a sincerely religious protagonist without preaching or affirming or judging their worldview?

What exactly makes a General Products hull nearly indestructible?

Is it okay to paraphrase other authors' literature reviews?

Company requiring me to let them review research from before I was hired

Are rockets faster than airplanes?

Are gangsters hired to attack people at a train station classified as a terrorist attack?

Why can't a country print its own money to spend it only abroad?

Why did NASA use Imperial units?

Character Frequency in a String

What is the purpose of this "red room" in "Stranger Things"?

Sextortion with actual password not found in leaks

Can people let me know why this command was ran and why he typed "network hacked…clampi foundFound scam site that tricks you into giving them more contact info to remove your existing public infoMessage telling me that I bought something with credit cardSent text by bank I don’t have an account with- Is this a scam?Email from a hacker with my passwordI entered my password in a possible scam website. What should I do?Hacker used my account to place an order, but not my credit card. Why?Why would a scammer not reply with the same email?

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;

1

I have received one of those typical sextortion scams ("drive-by exploit", filmed by webcam (mine has tape on it), pay bitcoin etc.). The thing is that an old password of mine is included (I don't even remember where I used it), but searching the password on HaveIBeenPwned returns nothing (I have previously been notified of two leaks, Last.FM and MyFitnessPal, but those accounts use different passwords).

That got me wondering: since this seems to be a rather old password, how complete are databases like HaveIBeenPwned, and where could I report such a new exploit, other than the authorities?

scam

share|improve this question

edited 8 hours ago

user32849

asked 8 hours ago

user32849user32849

10644 bronze badges

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Anyone can set up a login form and then dump their database on the Internet. It's up to you to make sure this doesn't jeopardize you in any way.
  
  – John Dvorak
  8 hours ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  I don't see how this relates to the question.
  
  – user32849
  8 hours ago
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  No breach site can ever claim to be complete.
  
  – schroeder♦
  8 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Do you know where this password came from?
  
  – schroeder♦
  8 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Unfortunately not.
  
  – user32849
  8 hours ago
  

  
  
  
  

add a comment | 

1

I have received one of those typical sextortion scams ("drive-by exploit", filmed by webcam (mine has tape on it), pay bitcoin etc.). The thing is that an old password of mine is included (I don't even remember where I used it), but searching the password on HaveIBeenPwned returns nothing (I have previously been notified of two leaks, Last.FM and MyFitnessPal, but those accounts use different passwords).

That got me wondering: since this seems to be a rather old password, how complete are databases like HaveIBeenPwned, and where could I report such a new exploit, other than the authorities?

scam

share|improve this question

edited 8 hours ago

user32849

asked 8 hours ago

user32849user32849

10644 bronze badges

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Anyone can set up a login form and then dump their database on the Internet. It's up to you to make sure this doesn't jeopardize you in any way.
  
  – John Dvorak
  8 hours ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  I don't see how this relates to the question.
  
  – user32849
  8 hours ago
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  No breach site can ever claim to be complete.
  
  – schroeder♦
  8 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Do you know where this password came from?
  
  – schroeder♦
  8 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Unfortunately not.
  
  – user32849
  8 hours ago
  

  
  
  
  

add a comment | 

I have received one of those typical sextortion scams ("drive-by exploit", filmed by webcam (mine has tape on it), pay bitcoin etc.). The thing is that an old password of mine is included (I don't even remember where I used it), but searching the password on HaveIBeenPwned returns nothing (I have previously been notified of two leaks, Last.FM and MyFitnessPal, but those accounts use different passwords).

That got me wondering: since this seems to be a rather old password, how complete are databases like HaveIBeenPwned, and where could I report such a new exploit, other than the authorities?

scam

share|improve this question

edited 8 hours ago

user32849

asked 8 hours ago

user32849user32849

10644 bronze badges

share|improve this question

edited 8 hours ago

user32849

asked 8 hours ago

user32849user32849

10644 bronze badges

share|improve this question

edited 8 hours ago

user32849

asked 8 hours ago

user32849user32849

10644 bronze badges

asked 8 hours ago

user32849user32849

10644 bronze badges

asked 8 hours ago

user32849user32849

10644 bronze badges

1 Answer
1

active

oldest

votes

5

While services like HaveIBeenPwned are fairly extensive, there are still many stolen user / password lists that have not been revealed to the public eye. Maybe a company didn't actually disclose what happened, never realized anything happened, and/or no researcher has yet found the list. Unless you somehow find the list that included that password somewhere, there isn't a good option to try and report this incident.

share|improve this answer

answered 8 hours ago

john doejohn doe

5355 bronze badges

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Also worth noting that this is a very common tactic. They find a forum or website somewhere that has SQLi, dump the passwords, find the ones that aren't yet public, then send sextortion emails to that subset of users using the password as false leverage to "prove" that they know something about you that "couldn't" be known unless they had access to your computer.
  
  – Polynomial
  1 hour ago
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f214048%2fsextortion-with-actual-password-not-found-in-leaks%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

5

While services like HaveIBeenPwned are fairly extensive, there are still many stolen user / password lists that have not been revealed to the public eye. Maybe a company didn't actually disclose what happened, never realized anything happened, and/or no researcher has yet found the list. Unless you somehow find the list that included that password somewhere, there isn't a good option to try and report this incident.

share|improve this answer

answered 8 hours ago

john doejohn doe

5355 bronze badges

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Also worth noting that this is a very common tactic. They find a forum or website somewhere that has SQLi, dump the passwords, find the ones that aren't yet public, then send sextortion emails to that subset of users using the password as false leverage to "prove" that they know something about you that "couldn't" be known unless they had access to your computer.
  
  – Polynomial
  1 hour ago
  

  
  
  
  

add a comment | 

5

While services like HaveIBeenPwned are fairly extensive, there are still many stolen user / password lists that have not been revealed to the public eye. Maybe a company didn't actually disclose what happened, never realized anything happened, and/or no researcher has yet found the list. Unless you somehow find the list that included that password somewhere, there isn't a good option to try and report this incident.

share|improve this answer

answered 8 hours ago

john doejohn doe

5355 bronze badges

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Also worth noting that this is a very common tactic. They find a forum or website somewhere that has SQLi, dump the passwords, find the ones that aren't yet public, then send sextortion emails to that subset of users using the password as false leverage to "prove" that they know something about you that "couldn't" be known unless they had access to your computer.
  
  – Polynomial
  1 hour ago
  

  
  
  
  

add a comment | 

While services like HaveIBeenPwned are fairly extensive, there are still many stolen user / password lists that have not been revealed to the public eye. Maybe a company didn't actually disclose what happened, never realized anything happened, and/or no researcher has yet found the list. Unless you somehow find the list that included that password somewhere, there isn't a good option to try and report this incident.

share|improve this answer

answered 8 hours ago

john doejohn doe

5355 bronze badges

share|improve this answer

answered 8 hours ago

john doejohn doe

5355 bronze badges

answered 8 hours ago

john doejohn doe

5355 bronze badges

answered 8 hours ago

john doejohn doe

5355 bronze badges