Winter is indeed coming, Ned Stark, but it’s looking more like pirates than white walkers: a new report found that thieves may have put your HBO GO account on the auction block on the Dark Web.
The report from Irdeto found that thieves are selling hundreds of stolen logins for popular “over-the-top” (OTT) services such as pay TV and video on demand on Dark Web marketplaces.
Besides HBO GO credentials, the company spotted listings for logins to 42 services, including Netflix, DirecTV and Hulu. All told, during the month of April, Irdeto spotted 854 sets of credentials, listed by 69 separate vendors on 15 marketplaces.
On average, an account’s credentials are fetching $8.71 (about £6.60) for one-time use. Some Dark Web sellers are also selling bundles of credentials for several services at higher prices.
Granted, Irdeto has an interest in bringing attention to piracy and other illicit activities, given that it sells content security and monitoring solutions and services to media and entertainment customers. But there’s no denying that cyber thieves will grab, and sell, these credentials.
Netflix, for one, keeps an eye out for its customers’ credentials turning up in batches of data ripped off in various breaches. Like many online services – including Facebook and Amazon, for example – Netflix’s routine security monitoring includes sniffing around online to see if it can find its user IDs circulating in breach lists.
(It’s worth noting that online services that do this look for account names that seem to match up with those of their own users. If they find any, they try to hash the revealed-somewhere-else passwords against hashed passwords of their own users. If they find that some of the passwords, once hashed, match their own customers’ hashed passwords, it translates into users having used the same password on multiple sites.)
That’s how Netflix wound up closing the accounts, or resetting passwords, of some customers in 2016: after finding their account credentials floating around online, the company zipped up the accounts to keep them from being hijacked.
That’s a good move. Who wants pay for crooks to watch Breaking Bad? Or Disney films, for that matter?
How to keep your accounts safe
Irdeto recommends that we all keep our eyes out for unusual or unfamiliar activity on our accounts. It also suggests changing passwords regularly, but that won’t do you much good if you’re using weak passwords, or, worse still, re-using passwords.
Be they strong as steel or weak as wet tissue, reusing passwords means that if one service gets breached, crooks can try the same credentials on all your other accounts. Here’s a detailed explanation of the dangers of password reuse, and here’s how to make every one of those passwords robust.
You well might have passwords coming out your ears, and we know it’s tempting to more or less just give up when it comes to creating unique, tough-to-crack passwords for all your accounts. Instead of giving up on security, though, consider using a password manager.
We think they’re a great tool. All you have to remember is one good, strong master password for the manager.
Some, if not all, password managers will run through your passwords and flag any that have been reused, prompting you to come up with stronger, unique passwords that they’ll then store so you don’t have to scribble them down or remember them.
Whatever you choose to do, make sure you’ve got a unique, hefty password before Game of Thrones Season 8 debuts next year, and the pirates storm your cyber fortress.
Here’s how!
(No video? Watch on YouTube. No audio? Click on the [CC] icon for subtitles.)
RichardD
“It also suggests changing passwords regularly, …”
Which is extremely bad advice, as the NCSC explains:
[link redacted]
Mahhn
Great that Netflix is proactive. (not a user myself) I wonder if they have an Account Activity page, so people see all activity their account has done and what IP was used? This would help people police their own account. Maybe add a statement on the page “if you see activity that was not approved by you, change your password immediately to prevent your account being locked out” .
Just a thought.
David Lightman
I find it supriseing that people well… find this supriseing. Not in a “well of course they they sell that” sort of way either more in a “this is pretty frickin public information” sort of way. It’s not like the dnm’s are exactly trying to hide what they’re selling. That would be counter productive to sales. And I’m not trying to be insulting to anyone who didn’t know this I’m just suprised that somthing that was so common sence to me needed a report written about it.
Chuck
Most of these accounts for sale are not standard user accounts that someone is actually paying for. Acquiring someone’s Netflix or Hulu credentials is certainly how many hackers start off preparation for the take over of a more valuable service, but the last thing they would do is alert the account owner by selling their account information online. Beyond that, most of these services provide by default a large degree of personalization to the extent that it would be pretty obvious to any standard Netflix user if one or more people had been utilizing their account. However, every medium-and-up sized streaming service (or any Cloud service of any kind) is guaranteed to have thousands of fully functional, permanent and free accounts to their service just sitting around. Why? Think about it, if you’re trying to sell your product, licsense to other enterprises, hire a third-party to work on it, there’s literally no reason you would make anyone go through that account creation process in any of those use cases. So either a there’s a big “bank” of accounts out there that can be accessed by entering one of a long list of special credentials or (more likely) there is some more or less secret protocol for generating one-time account credentials that magically create a virgin account whenever they’re used.