There's an interesting email scam going around now, where you'll get an email from an extortionist that includes a password you use and a threat to release embarrassing videos of you. The emails tend to look something like this, but with different amounts and threats:

If you've received one of these, don't panic. Your computer hasn't been hacked, but you should change the passwords you care about - especially if you use the same password in several places.

What happened?

Every now and then you might see a news article about a big data breach, where someone broke into a company's computer system and got a list of usernames and passwords. These lists are then sold on the darknet to extortionists and scammers, for them to use in scams like this one (or identity theft).

Bulk emails are incredibly cheap to send, so a scammer could run a profit on a scam like this if only one or two people in the world pay the "ransom". This is why they don't care that the email looks amateur and why they don't bother really customizing it for you: these scams are designed to be as low-effort as possible for the scammer.

To see where the password probably came from, put your email into haveibeenpwned.com. This is a free service run by a researcher who gets copies of most of the data breaches out there and indexes them. You'll see that many breaches are a few years old, which explains why the password in the email may be one you stopped using.

What do I do?

Most importantly, don't send any money to the address in the email. There is no recording , and there's no one that has all your contacts to send it to.

The key thing is to now realize that a lot of bad people on the internet have the combination of email and password that were included in that email, and they're trying to use them to get into all sorts of accounts you have (taking advantage of the fact that most people use the same password in a few places). This is called "credential stuffing", and is a popular type of hacking.

The most important thing you can do now is change your passwords. Change any service that you know used the password included in the email, and change your critical passwords (email, bank, social media) even if they didn't. Change each one to a different and unrelated password, and don't use words or simple substitutions like switching 0 for O or 1 for l.

Once that's done, check haveibeenpwned.com to see what other passwords of yours are in the wild. Change the password on any service you see listed there.

Since you're changing all your passwords, this is a great time to start using a password manager like 1Password or LastPass. Password managers are secure apps that store all your passwords, and keep track of things like when you last changed them or if they've been found in a data breach.

The idea is that you only have to remember one (complex) password for the password manager, and then the app keeps track of all the individual passwords that it creates for every service. They have browser plugins and mobile apps too, so that you never have to type a password in again. Using a password manager and letting it generate a unique password for every site is the best thing you can do for your online security, and it makes your life easier as a bonus.