Recently there have been many reports on a clever twist on an old scam that's made more believable with your hacked password. The email purports to be from a hacker who has compromised your computer and recorded you watching porn and will release the information to all your contacts if you don't pay the ransom (payable to a crypto currency account so it's not traceable).
The added twist is that the the email opens with "I'm aware that <substitute password formerly used by recipient here> is your password".
Apparently the bad-actors have run scripts to pull emails and passwords from the Dark Web from major breaches such as the LinkedIn breach not too long ago. In many cases, the recipients will note that the password hasn't been used in years, but it IS a password that they recognize, which still makes the threat very scary. It does not mean that anyone was actually on your system.
Whenever a major breach occurs, usernames and passwords wind up on the Dark Web and are bought and sold. If you use Yahoo, EVERY credential has been breached, as an example. LinkedIn and many popular sites have been hacked more than once in the past few years.
This underscores the importance of password management: Use STRONG passwords, use DIFFERENT passwords for different sites, and CHANGE your passwords. To help promote good password policies at your business, our recommended best practices include using a password manager and including Dark Web monitoring as part of your security policy.
For more detail, read the full article at Krebs on Security.