Don't worry about this kind of email. It's a know scam.

It's very easy to get hand of a stolen password database, and as most
people only have one or two passwords, claim you hacked them and have
compromising info. But they don't have, don't worry.
Someone at work got a similar email claiming that the emailer had
compromising video footage (it was a work account - no cams and very
improbable anyway). It demanded bitcoin and gave a hash to deliver it to.
But it didn't show a password, so yours is a somewhat nastier and more
effective variant. Ours claimed to have footage of the person's
"senescence." OMG - you caught me aging?! (Okay, not quite what it means.)

As for the password thing ... I really haven't figured out what best
practice is on time between notification-of-breach to public reveal. (I
went after the Science Centre about their use of SSL2 on their website -
where they take people's credit cards - so I have had a peripherally
related experience with problem/notification/reveal
https://www.gilesorr.com/blog/science-centre-ssl.html ). I'd say a month?
But I'd probably start the clock from your three weeks ago email. Although
if you didn't tell them _when_ you were going to reveal, that's not totally
fair. But it's also weighed against the public damage that's arguably
being caused by these emails.

The Canada Computers password database breach could have been years ago.
But if it was, did they make that known? Did they even know? <sigh>

P.S. And I'm glad I've never purchased from their website, only their
stores.

| From: Giles Orr via talk <***@gtalug.org>

| Someone at work got a similar email claiming that the emailer had
| compromising video footage (it was a work account - no cams and very
| improbable anyway). It demanded bitcoin and gave a hash to deliver it to.

Same.

| But it didn't show a password, so yours is a somewhat nastier and more
| effective variant.

Yes. The password was even in the Subject. That would probably get
the attention of most people. It didn't work in my case because my
passwords look like line noise and are not well-known to me. Imagine
if your password were, say, your first pet's name.

| Ours claimed to have footage of the person's
| "senescence." OMG - you caught me aging?! (Okay, not quite what it means.)

Some of the delights of spam are the pretentious language fails. (I
know, "people in glass houses...".)

| As for the password thing ... I really haven't figured out what best
| practice is on time between notification-of-breach to public reveal. (I
| went after the Science Centre about their use of SSL2 on their website -
| where they take people's credit cards - so I have had a peripherally
| related experience with problem/notification/reveal
| https://www.gilesorr.com/blog/science-centre-ssl.html ).

I read that previously. It added to my general sense of despair.
Often when you mention your blog it prompts me to binge read it to
catch up. Thanks!

(I recommend that TLUGers have a look at Giles' blog and not just
this one entry.)

| I'd say a month?
| But I'd probably start the clock from your three weeks ago email. Although
| if you didn't tell them _when_ you were going to reveal, that's not totally
| fair. But it's also weighed against the public damage that's arguably
| being caused by these emails.

Both times that I talked to Canada Computers, I told them that if I
didn't get a response within a week, that I would consider other
avenues of disclosure. I did not say that the response had to be
their ultimate reaction to the breach, just that I needed some
response.

My email to TLUG is clearly a disclosure. I posted it two weeks after
I talked with a technical person at CC. I realized that my earlier
discussion with a Customer Service Rep might not get through, which is
why I phoned again instead of publicly disclosing. BTW, the CSR had
mentioned that she had received a similar call before.

I imagine that mailing the TLUG list is not the most appropriate
disclosure. I was hoping for suggestions for additional disclosure.

| The Canada Computers password database breach could have been years ago.
| But if it was, did they make that known? Did they even know? <sigh>

Exactly.

That's why I mentioned xpresscanada.com even though that site died
many years ago.

| P.S. And I'm glad I've never purchased from their website, only their
| stores.

How retailers handled web sites has changed a lot in the many years
that CC has had a web site. Perhaps their security is better now.
Perhaps not.
---
Talk Mailing List
t

On Sat, 4 Aug 2018 09:14:38 -0400 (EDT)
no, not really. by the time you receive the type of email you have, it is way too late.

The email you received is from a bulk mailer and the syndicates already
know that the information that they have your password is only of importance
to be used to scare you into paying.

Cyber crime is a business. It has costs, risks, returns and
information/data is all important. The only time you will receive your
password as part of a ransom email is when there is no value left in
the data itself.

So, it is in fact pointless, useless and wasteful spam.

That you think your blackmail email contained valuable data is funny :)

How sure are you that it was Canada Computers? Are you saying that that
was the only place you used that password? And, is it a current
password (dollars to donuts says: no...) and with Google hacked, Yahoo
hacked, Microsoft hacked, it matters very little anyway... Change your
passwords every 30 days (or less) and never use the same password
twice (or even anywhere else) - If they sent me my google/yahoo/etc
password - I would even be able to tell you from which week it came :)

hth

Andre

---
Talk Mailing List
***@gtalug.org

| From: ac via talk <***@gtalug.org>

| no, not really. by the time you receive the type of email you have, it is way too late.

Probably. But the information that a site was hacked should still be
useful to the site.

| How sure are you that it was Canada Computers? Are you saying that that
| was the only place you used that password?

Yes. (I said that in my original posting.)

| And, is it a current
| password (dollars to donuts says: no...)

It was. No longer.

| and with Google hacked, Yahoo
| hacked, Microsoft hacked, it matters very little anyway... Change your
| passwords every 30 days (or less)

I find that too much bother. Experts have waffled on this policy.

| and never use the same password
| twice (or even anywhere else) - If they sent me my google/yahoo/etc
| password - I would even be able to tell you from which week it came :)

For real security, use something other than passwords. But that
doesn't seem to be in place for most sites.

Single-sign-on makes multi-factor authentication more feasible. I don't
trust the monopoly power of single-sign-on providers. And I don't
trust the resulting "one compromise to rule them all" ecosystem. And
I'm not attached at the hip to a mobile phone (SMS is the usual second
factor for consumers).

I can imagine that client certificates for TLS could help, and I
assume that the TLS supports this feature. But I don't know that
any important sites expoit them. And the certificate hierarchy
provides for monopoly abuse.
---
Talk Mailing List
***@gtalug.org

It is terrible practice and no one should ever do that in this day and age.
Unfortunately there are still some publically accessible sites that do it.
--
Cheers!

Kevin.

http://www.ve3syb.ca/ | "Nerds make the shiny things that
https://www.patreon.com/KevinCozens | distract the mouth-breathers, and
| that's why we're powerful"
Owner of Elecraft K2 #2172 |
#include <disclaimer/favourite> | --Chris Hardwick
---
Talk Mailing List
***@gtalug.org
https://gtalug.org/mailman/listi

| From: Stephen via talk <***@gtalug.org>

| Is it not terrible practise to store unencrypted passwords on a web site?

Yes.

But even if you hash them (best practice) with a slow hash function
(best practice but not as common as one would hope) with salt (also
best practice), they may well be crackable off-line using GPUs and
rainbow tables.

Most peoples' passwords area easy to brute force. I would have
thought mine was a bit tough.
---
Talk Mailing List
***@gtalug.org
https://gtalug.org/mailman/listinf