It can be concerning when you have been receiving spam email sent by yourself. Especially if they have your password (or close to) and threaten with publishing personal information unless you pay them.
Most of the time however, a hacker has faked the sender address to be yours. What about the password? Typically they’ve used a password published in a system wide hack on a website you use – for example in 2017 LinkedIn was hacked and all the user information was leaked for anyone to look at.
This website will show you where your password was stolen from: https://haveibeen pwned.com/
The best course of action if the password is correct or close is to change your email password and disregard the email. If they do have your password or guess it correctly, they can gain access to your email and send malicious emails to others very quickly.
Example of one of these spam emails:
As you may have noticed, I sent you an email from your account.
This means that I have full access to your account: On moment of hack your account has password: password123
You say: this is the old password!
Or: I will change my password at any time!
Yes! You’re right!
But the fact is that when you change the password, my trojan always saves a new one!
I’ve been watching you for a few months now.
The fact is that you were infected with malware through an adult site that you visited.
If you are not familiar with this, I will explain.
Trojan Virus gives me full access and control over a computer or other device.
This means that I can see everything on your screen, turn on the camera and microphone, but you do not know about it.
I also have access to all your contacts and all your correspondence.
Why your antivirus did not detect malware?
Answer: My malware uses the driver, I update its signatures every 4 hours so that your antivirus is silent.
I made a video showing how you satisfy yourself in the left half of the screen, and in the right half you see the video that you watched.
With one click of the mouse, I can send this video to all your emails and contacts on social networks. I can also post access to all your e-mail correspondence and messengers that you use.
If you want to prevent this, transfer the amount of $783 to my bitcoin address.
After receiving the payment, I will delete the video and you will never hear me again.
I give you 48 hours to pay.
I have a notice reading this letter, and the timer will work when you see this letter.
Filing a complaint somewhere does not make sense because this email cannot be tracked like my bitcoin address.
I do not make any mistakes.
If I find that you have shared this message with someone else, the video will be immediately distributed.