PureBasic Forums - English

Hello everyone,

Although this only affects my SpiderBasic account at the moment, I am posting the incident here as well, since there are more people here than on the SpiderBasic forum.

Today, I received a blackmail email that contained my password for my SpiderBasic account in the subject line. That is, the account on SpiderBasic.com—not the account here in the forum.

Some of you may already be familiar with this type of blackmail email. It always contains similar text suggesting that the blackmailer has access to all devices that they claim to have infected with a Trojan virus and that they have secretly recorded webcam and screen videos of compromising situations, which they are now using to attempt blackmail. However, that's not the point here, because the information about the password was put in the wrong context, so it's clear that the blackmailer (script kiddie?) picked it up somewhere but doesn't know the context.

Long story short: Since I don't know myself whether I am the weak link in the password leak or whether there was a hack involving several SpiderBasic account details (password + associated email address), I wanted to publish this here so that others who may have received a similar email can put it into context. Perhaps Fred knows something about a past hacker attack on the Spiderbasic server?

I have already checked my affected email address at [haveibeenpwned.com] and [sec.hpi.uni-potsdam.de/leak-checker/search]. However, no data leak involving my affected email address was found there. If the attacker had obtained the information due to a data leak on my computer (screen recorder or similar), they would also have obtained the correct context for the password. However, this does not seem to be the case, as the blackmail email clearly states that the blackmailer associates the password with the email account – which is clearly incorrect.

My recommendation for these cases:
- Do not reply to this email, but delete it.
- If the email accesses external graphics and your email reader prevents these graphics from reloading, do not click on the button that would reload them.
- Change your Spderbasic account password. I also changed the one for PureBasic at the same time.

Regards, Kurzer

Did you use that same password on other accounts too? Or do you use unique passwords for each of your accounts?

I don't think there will be a server side hack because in Europe on server side passwords must be hashed according to GDPR Art. 32.

Sounds like your PC is infected. Maybe time for a wipe and reinstall.

Try "Kaspersky Free Rescue Disk".

Launch code for Grub2 or use Rufus It works directly from my hard drive.

Video

NicTheQuick wrote: Sun Aug 31, 2025 12:03 pm Did you use that same password on other accounts too? Or do you use unique passwords for each of your accounts?

No, I have a separate, different password for each account.
And I don't believe that European servers are immune to data leaks or that they are completely secure against hacks. (www.dahag.de/datenlecks)

BarryG wrote: Sounds like your PC is infected. Maybe time for a wipe and reinstall.

I don't think so, as I always use up-to-date antivirus software, but if that is indeed the case, then it can only be my old computer that is affected.

I recently switched to a new computer (Windows 11 24H2) and have only installed a few programs on it, all of which come from a clean source. Most of the programs were updated or upgraded to a new version in the process, so I downloaded the installers for them directly from the manufacturer. Windows Defender did not trigger an alarm at any point during the setup of the new computer.

AZJIO wrote: Try "Kaspersky Free Rescue Disk".
Launch code for Grub2 or use Rufus

My old computer now only exists as a virtual machine. I transferred the PC to VirtualBox after migrating to the new PC. If I want to scan for infections there, I would have to do so in the VM.


Another indication that the blackmailer is talking nonsense is that the webcam is disabled in the BIOS on all my PCs and the lens is also covered. I am already familiar with the blackmailer's text from other “spam emails” that were simply sent on suspicion (without a password being mentioned).

Therefore, I am still wondering why the blackmailer obviously does not know the context of the password if there was a leak on my computer. Even if the browser had been compromised and the password had been tapped when logging into the SpiderBasic site, it should have been obvious what the password is used for. In any case, linking the password to my email account is just a shot in the dark, because it is not used at all in my email program.

And therefore, I tend to think that this login information (email address and password) was picked up in some huge database of leaked access data—so that the “user” of my data only has my email address and associated password at their disposal, without any further context.

If anyone knows of any other services that can check an email address against leaked login data, please let me know.

Thank you, Kurzer, for bringing this to our attention!

Passwords are never stored as is in a database and SpiderBasic and PureBasic accounts are no exceptions. All is hashed before being inserted in the database and when you login, only the hash is sent (you can check this step browser side). So if there is anything, it's not coming from us.

Fred, thanks for clarifying that.

I now have no choice but to look into this matter further, as I have received an identical email on a second email account. This email mentioned another real password in the subject line. It was the password for my old eBay account (but this password is no longer valid, as I changed it some time ago).

And here, too, the blackmailer seems to be unaware of the context, as he explicitly wrote, “So you know I'm serious, this is your password for this email account...” And again, the password has nothing to do with the email account.

A check with HPI Identity Leak Checker revealed that this data (email + password) is included in a leak from 2020 (Leak Collection (Cit0day)). This collection affects over 220 million users. And in a collection from 2016 (Combolist) with over 19 million users.

Since I am not at all sure how this data could have been/can be leaked from my PC, I would appreciate any tips from people who know more about this. It is undisputed that many large online players have been hacked before, resulting in millions of access data being stolen (including eBay), but I am not clear how the access data for the SpiderBasic account was lost.

I've done some research:
Even passwords stored as hashes are not unbreakable. Among other things, it depends on whether the data is salted to prevent the use of rainbow tables. And I have to admit that the SpiderBasic password was not a strong password, so GPU hash cracking could lead to success quite quickly here (graphics cards can test billions of hashes per second).

Stolen databases often end up on the darknet or in leaks. There, other criminals buy or download the hashes and try to crack them. Under certain circumstances, several criminals may be working on decryption with their combined computing power.

But be that as it may, I will probably never be completely certain. But I should check my old computer for infection. I would be grateful for any tips from security professionals. However, the old computer only exists as a virtual machine.

What program do you use to create a virtual computer? If the disks are not dynamic, you can mount the files using imdisk

Which OS do you run on your old VM ? Is it connected to internet ?

AZJIO wrote: Mon Sep 01, 2025 2:48 pm What program do you use to create a virtual computer? If the disks are not dynamic, you can mount the files using imdisk

I used Disk2VHD from Sysinternals to virtualize the C: drive of my old Computer. The old Computer is now a *.vdi File connectet to VirtualBox 7.

Fred wrote: Mon Sep 01, 2025 2:52 pm Which OS do you run on your old VM ? Is it connected to internet ?

The old Computer runs Windows 7 x64 SP1 and yes, it is/was connectet to the internet.
MSE (Microsoft Security Essentials) was installed as virus protection and updated every day via MS Update.

IMHO it's a big mistake, Windows 7 has tons of exploits since its support ended in 2020 (which is a long long time in computer world) and running an antivirus or anything else on top of a broken OS is of course not enough.

I thought you were asking about the OS because you had a tip for me on how to find out whether the computer had actually been compromised.

I know that Windows 7 is outdated, but I would like to know for sure whether there was an attack/infection on this particular computer. Just because someone used Windows 7 doesn't automatically mean that every one of these computers was attacked or compromised. I'm looking for information on how to check this for sure.

Kurzer wrote: Mon Sep 01, 2025 4:02 pm but I would like to know for sure whether there was an attack/infection on this particular computer.

If you mount the disk, you'll have the opportunity to check it with a third-party antivirus. I use Kaspersky's free antivirus. What's the point of finding a virus if it doesn't make you feel any better? I think you should change the passwords on important resources that might be of interest to hackers. I don't think they're interested in regular forums. One possible scenario is that someone has gained access to your browser files. I've helped people reinstall their operating systems many times, and when they can't remember their passwords, I simply copy their browser profile. So you need to delete the cache and passwords in the old OS, and clear the %temp% folder. Otherwise, you still have a computer that can be hacked. What's stopping you from transferring your files to a new computer? I recently bought a new computer, and it was challenging for me to switch, but I didn't drag the old stuff over. I copied the project folder, connected the old drive to the new computer to access files, but I'll eventually disconnect it when the demand for its files decreases. I dragged the passwords and bookmarks through the Firefox account, and he still has access to them, so there's no point in not trusting them, as they could do it without asking.

The antivirus in Windows often deleted my files, so I started using Kaspersky antivirus. So you can use both of them. If you disable Kaspersky antivirus, Defender antivirus will automatically turn on.

I am quite sure an AI like ChatGPT, DeepSeek or Gemini could help you with figuring out if Windows 7 was the issue.