Imagine sitting down with your morning tea, opening your inbox, and feeling your heart drop straight into your stomach. A message glares back at you, claiming total control over your device. Sometimes, it even displays an old password you actually recognise. Receiving a You Have Been Hacked Email is a gut-wrenching experience. But before you panic, freeze your bank accounts, or try to figure out how to buy Bitcoin, take a deep breath. You are almost certainly the target of a massive, automated bluff.
In the rapidly evolving landscape of 2026, AI-driven scams are everywhere, but this particular style of digital blackmail—often called “sextortion“—relies on old-fashioned psychological manipulation. Let’s break down exactly what this is, why they have your data, and how to reclaim your peace of mind.
The anatomy of a digital bluff
At its core, this email is a psychological trick. The sender typically claims to have infected your computer with a sophisticated trojan or spyware (they love dropping scary buzzwords like “Pegasus”). They assert they have been recording you through your webcam whilst you were browsing adult websites, and they threaten to send the embarrassing footage to all your contacts unless you pay a ransom in cryptocurrency.
It sounds incredibly convincing. The sheer panic it induces is entirely by design. However, it is almost always pure fiction. They haven’t hacked your webcam. They don’t have a video. They are simply throwing mud at the wall to see what sticks.
Why do they know my old password?
This is the part that catches people out. Seeing a password you used back in 2018 written in plain text in an email from a stranger is deeply unsettling.
Here is the truth: they didn’t steal it directly from your computer. Over the years, countless major websites and services have suffered data breaches. When these breaches happen, hackers bundle up millions of email and password combinations and sell them on the dark web.
The scammer simply bought a list of these old, leaked credentials. They wrote a script to automatically email everyone on that list, dropping the exposed password into the subject line or the opening paragraph to create a terrifying illusion of access.
Spotting the red flags of a fake extortion threat
If you are staring at one of these emails right now, look out for these tell-tale signs:
- Generic greetings: They rarely use your actual name. Expect to see “Hello user,” or no greeting at all.
- Urgent timeframes: The clock is always ticking. They usually give you 48 hours to comply to force you into making a rash decision.
- Cryptocurrency demands: They ask for payment in Bitcoin or other untraceable digital currencies. A legitimate organisation or even a targeted hacker negotiating with a massive corporation might act differently, but these bulk scammers rely on the anonymity of crypto wallets.
- Lack of proof: They never actually attach the supposed video or image. (And no, a screenshot of your desktop from a previous unrelated breach does not prove they have webcam footage).
Your immediate action plan
When you realise you are dealing with a bluff, the fear subsides, but you still need to take action.
Step one is simple: Do absolutely nothing. Do not reply to the sender, and definitely do not pay the ransom. Engaging with them only confirms that your email address is active, which will lead to even more spam.
Next, address the real vulnerability. If the password they quoted in the email is one you still use for any of your current accounts, change it immediately. This is particularly crucial for your primary email account and banking apps. If you receive this on a work computer and feel out of your depth, don’t try to play the hero—contact your internal IT Support team immediately. They deal with these phishing attempts daily and will appreciate your transparency.
Future-proofing your digital life
Relying on human memory for complex passwords is a losing game in 2026. The smartest move you can make today is setting up a reputable password manager. These tools generate and store unique, unbreakable passwords for every single site you use. If one site gets breached, your other accounts remain perfectly safe.
Secondly, turn on Two-Factor Authentication (2FA) wherever possible. Even if a hacker has your current password, they cannot log in without the secondary code sent to your mobile device or generated by an authenticator app.
For businesses, the stakes are inherently higher. A single compromised employee credential can jeopardise an entire network. This is why investing in robust Managed Cybersecurity and email security is no longer optional. Having a dedicated team actively monitoring your network for compromised credentials on the dark web catches these vulnerabilities before scammers can weaponise them.
Reclaiming control
Receiving an extortion email feels deeply personal and invasive. It is entirely normal to feel shaken. But by understanding the mechanics of the scam, you strip the attacker of their only weapon: fear. Delete the email, update your security settings, and go back to enjoying your morning tea. You haven’t been hacked; you’ve just been pitched a terrible lie.
Lets Talk!
If you have additional comments or questions about this article, you can share them in this section.