nextwebThis is pretty nasty. Someone has built a malicious copycat of the popular breach database Have I Been Pwned that will reveal your password in plaintext – unless you pay up a cryptocurrency ransom in Bitcoin, Ethereum, Bitcoin Cash, or Litecoin.
Just like Have I Been Pwned, the malicious copycat will let you check whether your associated email address has been breached in the past. The disturbing part is that it will also display leaked passwords of such compromised accounts. The website then asks users for a one-off $10 donation in cryptocurrency to hide the passwords.
According to the instructions on the website, leaked passwords will only be removed after users have successfully provided proof of payment. It is worth nothing that – depending on how widely you used your passphrase – it might be faster to update your old password than to pay up the ransom.
What they're doing is pretty reprehensible, but it's probably not actually a big deal. It's mostly just riding the coattails of the ransomware craze and duping dumb people. If you're info is already on
Have I Been Pwned, then it should be considered completely compromised. It's all data from past breaches, a lot of which goes back many years.
This will hurt some people who are very sloppy about their security, but those same people will compromise themselves in various other ways anyway. Fortunately for them, a lot of services like banks, Amazon, etc. are now monitoring for customer information involved in these data breaches and prompting customers to update passwords.