Calgary

'They're threatening me with porn': Scam using old LinkedIn data alarms Canadians

Debra Higgins is in her 60s and doesn't visit online porn sites but was nevertheless alarmed when she received an email from an unknown person who threatened to release a video of her doing just that.

Scammers have already separated victims from about $50K worth of bitcoin, IT firm says

Debra Higgins says she was alarmed to receive an email threatening to release a video of her browsing online pornography, even though she never does that, because the email also contained an old password of hers. (Safar Heydari)

Debra Higgins is in her 60s and doesn't visit online porn sites but was nevertheless alarmed when she received an email from an unknown person who threatened to release a video of her doing just that.

"I was panicking," she said. "I was in tears. I was embarrassed. I was scared. I didn't know what to do."

Of course, the video doesn't exist.

But the blunt, aggressively worded email that gave her two days to fork over $1,900 worth of bitcoin was still upsetting, in large part because it did contain some genuinely personal information about her — an old password.

"There was just enough of a grain of truth — they know your password — and then it goes on to talk about using my computer's camera to videotape me," she said. "So it was very frightening."

It took Higgins, who lives in Qualicum Beach, B.C., nearly two days to build up the courage to contact her son in Calgary and enlist his help in dealing with the situation, but she was glad when she did.

He assured her the email was a common scam that others had also received, and the threat was an empty one.

'Don't panic'

The scam is a particularly convincing one, said Chris Nowell, with Calgary-based ThreeShield Information Security, who has been tracking the proliferation of emails like this for the past few weeks.

He said the would-be victims' passwords were obtained from the 2012 hack of LinkedIn, which exposed the private information of more than 100 million users of the business-oriented social media site.

Scammers are now using the old LinkedIn data to inject an extra level of fear into their targets but, if you get an email like this, Nowell said the fact that they know your password from six years ago shouldn't be immediately alarming.

"Don't panic," he said.

"Know that it's all from a 2012 LinkedIn breach, and you've likely already changed your password for LinkedIn. The biggest risk here is, of course, if you're using the same password for that as you're using for other sites, then those have likely been compromised already."

Paul Rockwell, head of trust and safety at LinkedIn, said the company is aware of the scam.

"We continue to encourage our members to report any messages or postings they believe are scams and utilize our member help centre as a resource to educate and protect themselves from frauds online," he said in an email.

Scammers have received $50K

Lisa Wilton received a similar email and was pretty sure it was a scam right from the start but said it still gave her pause.

"It looked like a scam email, but what was a little bit worrying was that in the subject line was my name and a password that I had used before," the Calgary resident said.

"I don't frequent porn sites, but people who do — and no judgment — I could see them getting very worried about that."

Indeed, at least two dozen people seem to have been worried enough to give in to the blackmail and pay the scammers' asking prices, which vary but typically range in the thousands of dollars.

In just over two weeks of monitoring bitcoin addresses in the emails that he's seen, Nowell's firm has tracked 24 transactions that have sent a total of 4.61 bitcoins to the scammers.

The price of bitcoin is notoriously volatile but, at current rates, that works out to just shy of $50,000.

Nowell expects Canadians will see more of these types of emails in the future.

"When something is successful and starts getting a bit of publicity, we get a lot of copycats," he said.

'Overwhelming sense of embarrassment'

Sure enough, while Higgins was on the phone with CBC News explaining her first experience with the scam, a second email popped up in her inbox, this one demanding $8,000 and giving her 24 hours to pay up.

​"Even reading this second one, my stomach clenches," she said.

"And I know better, but my initial reaction is still one of: 'Oh my god, what do they have? This can't possibly be true.' But then there's this overwhelming sense of embarrassment and I can't even tell anyone because, my god, they're threatening me with porn. That's not even logical but they have my password, so what else do they have?"

Nowell, whose IT-security firm works primarily with small and medium-sized businesses, advises being sure that none of your current passwords are the same as the password you used for LinkedIn in 2012.

Rockwell said LinkedIn's response to the hack "included a mandatory password reset for all accounts affected."

In general, Nowell said it's advisable to use multi-factor authentication on your accounts to further frustrate would-be hackers and scammers.

And if you receive a porn-video-extortion email?

"Ignore it," he said. "That's the easiest thing."