Whether you’re using your parents’ password, you share an account with a spouse, or you somehow still have your freshman-year roommate’s uncle’s login information, sharing Netflix credentials is a near-universal experience for the modern couch potato.
But many Netflix users are unwittingly sharing their account with unwelcome guests, too. On thriving online black markets, vast troves of Netflix accounts are on sale for just pennies per login.
According to research from Symantec, compromised Netflix accounts sell for cheap on forums and marketplaces found on both publicly accessible websites and the dark web. A large supply of stolen credentials means prices are low, and some sellers even offer deals on bulk purchases.
Researchers found two main types of Netflix accounts on the black market. Some accounts for sale are already being used by a paying Netflix customer—the black-market buyer simply piggybacks on an existing account by using a paying customer’s username and password.
Hackers usually get their hands on valid credentials through emailed phishing schemes or fake websites that masquerade as Netflix. In one common scam, a hacker pretending to be a Netflix employee emails users to tell them they need to update their accounts. When they input their username, password, and sometimes even credit-card information into a fake website, it goes right into a hacker’s database and is ripe for resale.
Instead of paying for an existing user’s account information, black-market shoppers can also buy accounts that are newly generated based on stolen credit-card information. These generators dip into existing databases of stolen financial information to buy new accounts.
Having bought up a few Netflix accounts, a black-market window-shopper might go on to peruse offerings of stolen credentials for just about any sort of paid online service. Logins for HBO Go, Spotify, sports-streaming services, and paid pornography sites are available for easy online purchase.
One seller who deals in stolen accounts on a popular marketplace for illegal goods offers pages and pages of online accounts. “I like to think there is no better option for account dumps,” the seller wrote on a page selling stolen Spotify credentials. “From Netflix to Skype codes, I’m your guy.”
This seller’s listings are available only on the dark web, a part of the Internet that’s inaccessible to normal browsers and search engines. It can be viewed only through Tor, a network of servers that anonymizes web requests for privacy and security. In this case, it keeps buyers and sellers from being tracked by law enforcement.
The seller was rated five stars for “stealth,” and four and a half stars for value and quality. A register of recent purchases showed that a buyer nabbed accounts to Netflix, Hulu Plus, and Spotify for $4.99 around midnight Monday.
Of course, there’s no guarantee any of these black-market credentials actually work, says Satnam Narang, the senior response manager for Symantec’s Norton security product. Since these transactions are illegal, there’s not much of a return policy, so criminals could theoretically get away with selling non-working credentials, he said. (On this particular marketplace, that sort of behavior would quickly knock a seller down a few stars on the quality scale.)
An upstanding member of society who pays for access to services like Netflix might not be terribly worried about a hacker halfway across the world selling access to their account. The only visible effect may be a string of confusing movie recommendations, but in the hands of a malicious hacker, access to one online account can be a foothold for large-scale identity fraud.
An intruder could learn personal details about a person from inside a Netflix account—family members’ names, for example, or a billing zip code—that he could then use to trick the victim into giving up more information. Just this past weekend, a hacker used this tactic, known as social engineering, to steal personal information of thousands of employees from a Department of Justice database.
If a Netflix customer with a compromised account uses the same information for multiple online accounts, then the damage could spread. The intruder might try logging into the customer’s bank account, for example, with the same username and password.
Most online accounts allow users to check up on recent activity, to make sure there’s nothing unusual going on. Netflix has an option on its setting page to check “viewing activity,” and from there, you can “see recent account access.” And if the company detects strange activity in a user’s account, it may trigger a password reset on its own.
If you suspect your Netflix account has been compromised, it’s easy to regain control. In the settings page, click the option to sign out all devices: This will kick out any unwanted users on the account. After the purge, change your password, and share it only with authorized users—and then go back to binging on reality TV without worry.
We want to hear what you think. Submit a letter to the editor or write to letters@theatlantic.com.
