Last summer, cybersecurity experts started to investigate a new round of extortion letters in which scammers tried to convince their would-be victims that they'd been filmed watching porn, and if they didn't hand over a four-figure payment, those (non-existent) videos would be released. A lot of people fell for it, and a lot of people paid up: The CEO of cybersecurity consultancy firm Banbreach told VICE that the hackers scored more than $500,000 in ransom payments in a reasonably short period of time.
But when an 86-year-old Chicagoan received six threatening form letters from fraudsters who said they had footage of her "doing nasty things," she wasn't freaked out, she wasn't buying it, and she definitely wasn't sending them $1,400 worth of bitcoin. "I said this is the most bizarre thing I've ever seen, and I have to go tell all my water aerobics buddies about this letter," Arlene Kaganove told NBC Chicago. You hear that, hackers? A bunch of elderly women are currently laughing about you in a community pool.
Kaganove believes that she was targeted because she signed up for a MyPanera rewards card at her local Panera Bread restaurant, mostly so she could get a free Everything bagel for her 87th. ("I am always signing up for whatever comes free on my birthday,” she said. Same, Arlene. Hard same.)
Shortly after she joined Panera's loyalty program, she started receiving threatening emails that referenced her online behavior. "They say they have been watching me watch porn, which I find hilarious,” she said. She suspects that the scammers discovered her through her MyPanera account, because each email had her username and password listed at the top—and she said she doesn't use that password anywhere else online.
These low-budget rip-off artists basically copied and pasted the text that has been circulating since last July, when these 'sextortion' emails were revealed by cybersecurity journo Brian Krebs. "I made a split-screen video. First part recorded the video you were viewing (you’ve got a fine taste haha), and next part recorded your webcam (Yep! It’s you doing nasty things!)," the text read. "What should you do? Well, I believe, $1400 is a fair price for our little secret. You’ll make the payment via Bitcoin to the below address."
Kaganove was having none of it—although she did appreciate the scammers' polite tone. "They told me I have very good taste in porn so I thought that was nice," she said. Instead of buying $1,400 worth of Bitcoin, she contacted the local news station, and told Panera that her account info had been stolen.
In April 2018, Panera announced that it had addressed a security vulnerability on its website that exposed the personal data of a significant number of its customers. (Panera said that the data breach could've potentially affected "fewer than 10,000" individuals, but security experts—including Krebs—believe that it was more like 37 million customer records). That's obviously bad, but what made it worse was the fact that security researcher Dylan Houlihan said that he'd alerted Panera to the website's flaws more than eight months before the company addressed it.
In Kaganove's case, Panera has stubbornly insisted that her data wasn't taken from its servers. "No MyPanera Rewards account passwords were exposed during the April 2018 incident,” the company said in a statement. “We also went over our forensic records from last year and confirmed that Arlene’s account was not accessed improperly."
The hackers haven't scared Kaganove away from the internet, and she said that if hackers really were watching her, all they'd see was "this little old lady sitting there cursing at the computer because it's not doing what I want it to do."
Yo Arlene, are you on Twitch? Because we'd probably watch that.