Thousands of Netflix, Disney+ streaming accounts being stolen

With a surge in home use of video and music streaming services such as Amazon Prime Video, Apple Music, Netflix and Spotify thanks to social distancing and self-isolation measures taken during the Covid-19 coronavirus crisis – as well as the scheduled launch of Disney+ in the UK on 24 March – Proofpoint has warned that cyber criminals are increasingly targeting and hijacking user accounts.

Proofpoint threat researchers reported that cyber criminals have found a way to steal valid streaming credentials and are now selling them online for discounted prices, with the victims almost always completely unaware that they are “sharing” their accounts with malicious actors and unauthorised users.

“Streaming services have skyrocketed in popularity and demand, which makes these consumer accounts increasingly attractive to attackers,” said Proofpoint international cyber security strategist, Adenike Cosgrove. “As people around the world are being asked to remain in their homes due to the coronavirus pandemic, many are turning to these streaming services for entertainment. Attackers will likely follow this pattern and increase their theft and selling of account credentials. We recommend that consumers take a few simple steps to protect their accounts and identify and remove any unauthorised users.”

Proofpoint has identified three ways that attackers can use to steal valid streaming service credentials: via malware, using keyloggers and information stealers unwittingly downloaded to user machines to; via credential phishing attacks, generally via an email that redirects to a fake phishing website used to steal login and credit card information; and finally, via previously stolen credentials combined with password reuse, also known as credential stuffing, where attackers try combinations of usernames and passwords stolen from elsewhere and try to log into streaming services with them.

“Attackers have recognised there’s a huge demand for access to streaming content without having to pay full price,” said the firm’s researchers in a disclosure blog. “At this point there is a very mature, operationalised market for stolen streaming credentials.

“When attackers get your streaming credentials, they sell them to others who will use them to log on and piggyback off of your streaming services, likely without you even knowing it. It’s worth noting that this is a relatively sophisticated online store process. There are multiple options for sale, the seller offers a warranty and even contact information in case of any problems.”

Stolen user accounts are usually sold for a fraction of the price of a legitimate subscription, and the sellers will generally emphasise that the buyers cannot change usernames or passwords as this will void their warranty, and alert the victim that they have been hijacked.