Don't worry about this kind of email. It's a know scam.

It's very easy to get hand of a stolen password database, and as most people only have one or two passwords, claim you hacked them and have compromising info. But they don't have, don't worry. 

On Aug 4, 2018 09:10, "Giles Orr via talk" <talk@gtalug.org> wrote:
On 4 August 2018 at 04:47, D. Hugh Redelmeier via talk <talk@gtalug.org> wrote:
I received a blackmail message by email.  It claimed that they hacked my
system and had compromising videos from my computer's camera.

As proof, they gave me what they claimed was my password.  But I only used
that password on two sites: canadacomputers.com and
xpresscanada.com (a long-dead Canada Computers site).

So I'm not worried.

I informed CC about three weeks ago.  They seemed to ignore the
report.  I phoned again two weeks ago, and they were interested.  I
told them if I didn't hear that they'd informed their customers that
I'd publicize this security breach.

I've heard nothing else.  So I presume that they have not announced it
to their customers.

Today I got another blackmail message with the same password.

What do you think that I should do?

PS: my password is a random string generated by mkpasswd(1) so it would
not have been discovered by an online exhaustive search.  They most likely
filched the password file from CC.

PPS: I'm glad that I don't reuse passwords!

Someone at work got a similar email claiming that the emailer had compromising video footage (it was a work account - no cams and very improbable anyway).  It demanded bitcoin and gave a hash to deliver it to.  But it didn't show a password, so yours is a somewhat nastier and more effective variant.  Ours claimed to have footage of the person's "senescence."  OMG - you caught me aging?!  (Okay, not quite what it means.)

As for the password thing ...  I really haven't figured out what best practice is on time between notification-of-breach to public reveal.  (I went after the Science Centre about their use of SSL2 on their website - where they take people's credit cards - so I have had a peripherally related experience with problem/notification/reveal https://www.gilesorr.com/blog/science-centre-ssl.html ).  I'd say a month?  But I'd probably start the clock from your three weeks ago email.  Although if you didn't tell them _when_ you were going to reveal, that's not totally fair.  But it's also weighed against the public damage that's arguably being caused by these emails.

The Canada Computers password database breach could have been years ago.  But if it was, did they make that known?  Did they even know?  <sigh>

P.S. And I'm glad I've never purchased from their website, only their stores.


--
Giles
https://www.gilesorr.com/
gilesorr@gmail.com
---
Talk Mailing List
talk@gtalug.org
https://gtalug.org/mailman/listinfo/talk