[BreachExchange] Massive Illegal Password Sharing Service Busted

Audrey McNeil audrey at riskbasedsecurity.com
Mon May 17 14:19:12 EDT 2021


https://tech.co/news/massive-illegal-password-sharing-service-busted

A Portland, Oregon, federal grand jury has charged a man for a scheme to
steal and resell customer account details for streaming services including
Netflix, Spotify Premium, and HBO Max.

The indictment names Samuel Joyner and an accomplice, Evan McMahon of
Sydney, Australia. It alleges that they operated an online service called
“AccountBot,” through which users could pay a low fee to access stolen
streaming service accounts.

The allegations are a particularly bold example of a hacking risk that
costs streaming services billions each year.

AccountBot Sold Accounts as Low as $1.79

The indictment states that the AccountBot site claimed to have access to
over 217,000 unique customer account credentials and to have served over
52,000 customers.

“AccountBot customers paid between $1.79 and $24.99 for access to the
stolen credentials, depending on how long and which service they wanted to
access,” reports The Verge.

The charges are “conspiracy to commit computer and access device fraud,”
and come with a maximum sentence of five years in federal prison.

The indictment also holds that the men stolen the passwords through
credential stuffing attacks, a term for large-scale automated login
requests. With this process, a hacker takes login information from previous
data breaches and feeds each username and password combination into various
streaming services until they find the combinations that work.

Password Theft Is Huge

These recent charges are far from the first sign that bad actors online are
stealing and reselling passwords to paid services.

In some cases, Facebook, Instagram, or Twitter accounts are stolen, cutting
off the original owner entirely in order to deliver the account to a new
owner who wants a built-in audience or a particularly unique username. But
when it comes to Netflix and Spotify, you'll retain your account — you'll
just have someone else poking around in it.

As many as 350,000 Spotify accounts were hacked in November 2020, while
Netflix passwords were included in a massive compilation of 3.2 billion
credentials that surfaced in February 2021.

In this new charge, no details were given on how much total revenue the
alleged streaming password reselling scheme was bringing in, though it's
hard to imagine the monetary benefits were a high as, say, the millions
that ransomware attackers can potentially make. Still, stealing an entire
inventory would be one way to keep the overhead costs low.

Are Your Passwords at Risk?

One common phishing technique for swiping Netflix passwords involves
building a fake sign-in page or a spoofed account creation page that look
just like the real thing but only exist to scoop up your password or
payment information.

The solution is a good password manager: Many of the top password keepers
will autoload your password, but only on the real website, and may even
flag spoofed log-in pages. We've rounded up the best options over here.

The other big issue is an unsecured connection, like in a hotel or an
Airbnb rental. Paying a few bucks a month for a great VPN can help with
this, and we have the top VPN solutions ready to go as well. Get a solid
password manager and VPN, and you'll be fairly safe from the password
reselling schemes of the world.

There is still one big downside here, though: Netflix is sure to eventually
cite stolen accounts as the reason why they'll crack down on
account-sharing down the road. Shout out to my old college roommate Joel
for letting me use his Netflix password for the last seven years.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210517/e3ec58b1/attachment.html>


More information about the BreachExchange mailing list