Netflix, HBO GO, Hulu passwords found for sale on the Dark Web

It may be time to update all of your passwords. Looks like popular services you likely use have had passwords sold on the Dark Web, which could include your passwords as well. If you use these services, it may be wise to change your passwords. Especially if they are used on multiple services. The original post from Sophos on this can be found HERE

BTW … In my opinion, you should also consider multi factor authentication as well as using pass phrases vs passwords. For those that don’t know, a pass phrase is taking a long sentence you can memorize and use the first letter of each word making the password truly random. Also make sure to add something at the end if it doesn’t exceed 10 characters to avoid brute force attempts.

Winter is indeed coming, Ned Stark, but it’s looking more like pirates than white walkers: a new report found that thieves may have put your HBO GO account on the auction block on the Dark Web.

The report from Irdeto found that thieves are selling hundreds of stolen logins for popular “over-the-top” (OTT) services such as pay TV and video on demand on Dark Web marketplaces.

Besides HBO GO credentials, the company spotted listings for logins to 42 services, including Netflix, DirecTV and Hulu. All told, during the month of April, Irdeto spotted 854 sets of credentials, listed by 69 separate vendors on 15 marketplaces.

On average, an account’s credentials are fetching $8.71 (about £6.60) for one-time use. Some Dark Web sellers are also selling bundles of credentials for several services at higher prices.

Granted, Irdeto has an interest in bringing attention to piracy and other illicit activities, given that it sells content security and monitoring solutions and services to media and entertainment customers. But there’s no denying that cyber thieves will grab, and sell, these credentials.

Netflix, for one, keeps an eye out for its customers’ credentials turning up in batches of data ripped off in various breaches. Like many online services – including Facebook and Amazon, for example – Netflix’s routine security monitoring includes sniffing around online to see if it can find its user IDs circulating in breach lists.

(It’s worth noting that online services that do this look for account names that seem to match up with those of their own users. If they find any, they try to hash the revealed-somewhere-else passwords against hashed passwords of their own users. If they find that some of the passwords, once hashed, match their own customers’ hashed passwords, it translates into users having used the same password on multiple sites.)

That’s how Netflix wound up closing the accounts, or resetting passwords, of some customers in 2016: after finding their account credentials floating around online, the company zipped up the accounts to keep them from being hijacked.

That’s a good move. Who wants pay for crooks to watch Breaking Bad? Or Disney films, for that matter?

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.