About a month and a half ago, I started receiving “porn extortion” emails with my TVTropes password in them. For those who haven’t gotten on of these yet, consider yourself lucky.
About 4-6 months back millions of people started seeing emails that basically said “We infected your computer with a virus, turned on your webcam and recorded your screen. We saw the adult sites you visited, and what you were doing through your webcam when you were there.” Of course, for a small amount of BitCoin, they can keep that info to themselves.
In case you haven’t guessed, it’s a total scam. I know this because my machine is a Mac, and every single one of these emails I’ve gotten over the months specifically detailed how a WINDOWS machine was infected with their virus.
More recently, these emails started including passwords from websites that I had used in the past. That’s not hard to explain, sites do get hacked and password databases do get stolen. Then the passwords get sold for fractions of a penny each, and anyone – including these scammers – can use them for whatever they want. As nearly all of these passwords are now no longer valid; they’re rarely used for attacking other websites. But using them for this kind of email scam is a great way to recycle no-longer-usable data that’s already out on the web since so many users re-use passwords on so many sites that the likelihood that at least one victim you email still has that password in active use is pretty good indeed.
In this case, for the last month and a half I have been getting these scam emails that specifically mentioned my TVTropes email address and UNIQUE password. Of course I immediately changed my password for that website, and alerted the site administrators through their bug tracking forum. I know it had to have come from that website, because the password has never been used at any other website or for any other login (using a password manager has given me the luxury of having this benefit available to me). It could only have come from that one, specific site.
Over 30 days later, and there has been no response from TVTropes, forcing me to now go public. If you have an account on TVTropes.org, you need to immediately change your password on that site, and on any other sites you have re-used that same password.
I’m much more disappointed in TVTropes. While I wouldn’t expect them to have the same level of security as financial or commerce websites, I would expect that when evidence of a breach is found they immediately investigate and force password changes for all users that were subject to having their passwords stolen. This is standard response behavior.
Also, with no response at all from the site in over 30 days of repeated attempts to contact them, I’m horrifically disappointed in the site administrators. Someone is literally telling you, privately and quietly, that your users are at absolute risk; and your response is… nothing?
So, long story short, there is evidence that TVTropes.org has been breached and their password database has been stolen and decrypted. Change your password there, and on every other site you use that same password immediately.