Bitcoin Forum

nextweb (https://thenextweb.com/hardfork/2018/04/12/bitcoin-password-leak-cryptocurrency)

This is pretty nasty. Someone has built a malicious copycat of the popular breach database Have I Been Pwned that will reveal your password in plaintext – unless you pay up a cryptocurrency ransom in Bitcoin, Ethereum, Bitcoin Cash, or Litecoin.

Just like Have I Been Pwned, the malicious copycat will let you check whether your associated email address has been breached in the past. The disturbing part is that it will also display leaked passwords of such compromised accounts. The website then asks users for a one-off $10 donation in cryptocurrency to hide the passwords.

According to the instructions on the website, leaked passwords will only be removed after users have successfully provided proof of payment. It is worth nothing that – depending on how widely you used your passphrase – it might be faster to update your old password than to pay up the ransom.

What they're doing is pretty reprehensible, but it's probably not actually a big deal. It's mostly just riding the coattails of the ransomware craze and duping dumb people. If you're info is already on Have I Been Pwned, then it should be considered completely compromised. It's all data from past breaches, a lot of which goes back many years.

This will hurt some people who are very sloppy about their security, but those same people will compromise themselves in various other ways anyway. Fortunately for them, a lot of services like banks, Amazon, etc. are now monitoring for customer information involved in these data breaches and prompting customers to update passwords.

It's an extremely dumb idea to pay them to hide your password, because first you have to trust that they will actually do it and second, if they know it, than a whole lot of other hackers also do, because they sell this kind of databases to each other on a daily basis. If the password is stored in plaintext, than it either means that the original password was so weak that it got cracked or that some site was storing it in plaintext in the first place - these two possibilities already mean huge security flaws and paying $10 won't solve them.

The good thing is that it appears the platform does not store plaintext passwords for all compromised accounts found in its database.

Could this also be a trick to scare you? They can mix in the compromised accounts with accounts they do not have the passwords to but pretend they do. That's an easy $10 extorted per person. How can they prove that they can have access to your account? What would stop me from changing my passwords today?

Also, most email accounts today do not contain important information anymore, only social media notifications hehehe.

You know this, and I know this. However, many of the regulars don't know what to do or have any idea about how things like this work. I checked the email address of relatives and surprised them with mentioning what sites they registered on. Their response was how did I know they were registered there, and what the first or last letters of their passwords were, etc. At that point they started to panic, and people who panic are desperate and very likely to pay to get themselves "removed" from these databases. People here often blame regulars for not understanding Bitcoin, but they fail to understand that regulars don't even understand the basics of the internet. I would say that spreading awareness and knowledge is the best thing that you can do within your own environment. Not everyone knows how to deal with these things.