Netflix accounts may not offer the monetization potential of a stolen Facebook account that can be exploited to broadcast fake appeals for money, but they still tempt a subset of hackers who find Netflix series like “Stranger Things” and “Diagnosis” not just binge-worthy but steal-worthy.
And one aspect of Netflix’s account-management system makes their work a little easier.
Analyst Carolina Milanesi of Creative Strategies discovered that during a flight when she received one email informing her of a changed email address on her Netflix account, followed by a notification of a password change.
With Netflix’s help-support chat function telling her to log in first, she had to wait until landing to call the company to get the account recovered and the password reset.
Netflix support did not ask Milanesi to change the credit card on her account. The service “tokenizes” stored cards, replacing account numbers with digital identifiers only good at Netflix.
That removes a monetary rationale to hack into a Netflix account. So why bother?
“It appears to be just plain old theft!” said Chet Wisniewski, principal research scientist at the security firm Sophos. “I don’t really see anything to it other than getting free Netflix Premium.”
That $15.99-a-month plan provides video in 4K Ultra HD resolution but also allows four simultaneous streams, up from the two of the $12.99 per month Standard plan, making them a more attractive prize to share.
“They’re trading them simply to have status with their friends,” he said of discussions about stolen Netflix accounts on various hacking forums.
Wisniewski said most compromises either involve phishing scams that fool victims into giving up their passwords – something Oxford, U.K.-based Sophos warned of last September – or trying passwords leaked in data breaches. He noted that you can safely check a password to see if it’s been exposed at the breach-tracking site Have I Been Pwned.
Milanesi said she does have a Premium plan but had no idea how the hackers could have obtained her password.
Tired of #$%& passwords? Single Sign-on could be a savior
Your iPhone might have just been hacked: Google found iPhone security flaws that allowed websites to hack iOS users ‘en masse’
Netflix’s security help emphasizes the importance of not reusing passwords, and the company says it watches for odd account activity.
“The Netflix security team uses a variety of measures to protect our members, including monitoring various sites on the internet for credential dumps where data thieves post stolen usernames and passwords,” emailed Katy Dormer, Netflix communications director. “We notify users to change their password when suspicious activity is detected. We also notify users when there is a sign-in to their account on a new device.”
In this case, however, the attacker changed the email address on the account first. That’s where
Wisniewski found fault with Netflix: It let him change the email on his account without confirmation via a message sent to the previous address.
“I would want the behavior to be to go to the old address and say, please click this link to approve the change,” he said. “It’s permissive by default instead of blocked by default.”
Wisniewski voiced some sympathy for Netflix in this situation, given its competition for viewers and how relatively little is at stake in a Netflix hack: “The more secure they get, the more inconvenient it gets for their customers.”
Rob Pegoraro is a tech writer based out of Washington, D.C. To submit a tech question, e-mail Rob at firstname.lastname@example.org. Follow him on Twitter at twitter.com/robpegoraro.