Data Breach Extortion Scams

Data breach extortion scams — also called sextortion scams, breach blackmail, or email extortion — involve a fraudster claiming to have obtained sensitive information about you and threatening to publish or share it with your contacts unless you pay. The claimed information varies: passwords from old breaches, browsing history, financial records, or recordings made through your webcam or device camera.

The scam is largely automated, sent in bulk to email addresses obtained from data breaches. The key psychological lever is personalisation: if the scammer can include something that looks specific to you — such as an old password you recognise — the threat feels credible even if the underlying claim is false.

In many cases, the data the scammer claims to have is limited to what they found in a publicly available breach database: your email address and a password from years ago. There is no recording, no sensitive material, and no further access. The email is designed to create panic and the belief that the threat is real and imminent, compelling payment before you think too carefully about whether it can be verified.

In more targeted variants, genuine personal information obtained through stalkerware, a device compromise, or a targeted breach may be incorporated, making the threat more specific and harder to dismiss. These are rarer but more serious.

Understanding the typical mechanics of mass extortion emails — and recognising that the inclusion of an old password does not confirm a recording exists — is the most important protective knowledge for most people who encounter these messages.

The most common variant works as follows: a bulk email is sent to addresses obtained from breach databases. The message claims the sender has infected your device with malware via a compromised website you visited, has been recording your activity through your camera, and has footage or data they will send to everyone in your contact list unless you pay within a short window — typically 24 to 48 hours.

To establish credibility, the email includes a password associated with your email address, found in the same breach database. This creates the impression of specific knowledge and access. In reality, the sender has nothing beyond the email address and password pair.

Payment is demanded in cryptocurrency — almost always — with a specific wallet address. Cryptocurrency is requested because it is irreversible and difficult to trace. The deadline creates urgency and is designed to prevent you from pausing to research the scam or consult someone.

In more sophisticated variants, the sender demonstrates knowledge of additional personal information: your name, address, partial phone number, or details about a workplace. This information may come from aggregated breach data or public records and does not indicate real access to your device.

In genuinely targeted extortion cases — which are a minority — attackers may have obtained real content through a malware installation, a compromised cloud account, or intimate images shared in a private context. These cases require a different response and should be reported to police.

The scam is effective because the fear of being exposed — to family, employers, or colleagues — is intense, and the cost of paying seems lower than the potential social consequences if the threat were real. Even people who know they have done nothing they would be ashamed of can be destabilised by the combination of urgency, a plausible-sounding claim, and a personalised detail like an old password.

Most people are unaware how widely breached passwords are distributed or how easily they can be matched to email addresses. The password feels like specific, private knowledge because it was supposed to be private, but it is in fact available in databases that scammers purchase or download freely.

The cryptocurrency payment demand adds a further layer of pressure — it feels final, irreversible, and separate from normal financial channels, which reinforces the sense that this is a serious, high-stakes interaction rather than a routine scam.

A person receives an email claiming the sender has access to their device's camera and has recorded compromising footage. The email includes a password the person recognises from an old account. A deadline demands payment in cryptocurrency within 48 hours. The person, shaken by the password detail, searches online and finds articles describing this exact email format as a mass scam. They check the included password and confirm it appears in a known public breach database from several years ago. They do not pay, change any current accounts using similar passwords, and report the email to their national fraud body. No further contact is made.

I know your password is [old password]. I have been monitoring your device and recorded you. Pay [amount] in Bitcoin to [address] within 48 hours or I will send the video to your contacts.

Your account has been compromised and I have obtained your personal files. Transfer [cryptocurrency amount] to [address] to prevent them being published.

I installed software on your device when you visited [type of site]. I have a recording. Pay [amount] by [deadline] or it goes to your employer and family.

I have access to your email, contacts, and camera. This is your only warning. Send [cryptocurrency] to [address] now.

If you receive a breach extortion email containing an old password, the most important thing to understand is that a password found in a breach database does not confirm the other claims in the message. Millions of such passwords are freely available. The sender chose one associated with your email address to create the illusion of access.

Check whether the password in the email is actually in use on any current account. If it is, change it immediately — not because the scammer has access, but because that password being in a breach database means other attacks become possible. If the password is an old one you no longer use anywhere, the email is almost certainly a template scam with no specific knowledge of you.

Do not pay. There is no verified case in which paying a mass-extortion email stops further contact — and payment confirms your address is active and willing to respond. A reputable breach-monitoring service can help you understand what data about you is in circulation.

If the email contains genuinely private information that cannot have come from a breach database — detailed personal circumstances, recent photos, or specific recent activities — treat it more seriously and report it to police.