Has my Netflix been Hacked?

Hi guys.
Share a netflix account with some family members and alarm bells went ringing when I went to watch something and someone had changed the preferred language to Arabic + Arabic subtitles ?
Went into my account and can see some buggers from Turkey and Holland have been using the account, my sister changed the pass to something much stronger as it was a weak password.

Has this ever happened to you guys and should I be worried, also how on earth did this happen did they run a password generator or something ? Thanks

I am sure you can see logged in devices if you login to Netflix through a web browser.

Yes I have. Some unknown ones like Turkey and Holland are on there.

I would suggest you change your password and de-authenticate them

Yes we have changed the password to a secure one

I wrote a post about password security in the past that is relevant to this: Monzo Plus Roadmap for 2019 📅

There’s a big market online for stolen media streaming accounts, Netflix and Spotify users are the biggest victims of this. The typical situation is this:

1. You use a password for Netflix that you also use on another service
2. The other service is compromised
3. All passwords and email addresses are leaked from the compromised service
4. Malicious people check every leaked password and email combination on Netflix (and other services)
5. When a password and email combination are found to work on a service, the account details are noted down as valid
6. The valid account details are now sold, often for ~$1, typically with the advice “don’t change any settings so that you can keep using the account indefinitely”. The goal isn’t to steal your account from you, it’s to have cheap access to these services, changing your password will resolve the issue – also change your password anywhere else that same password is used.

The protection against this attack is: do not use the same password on multiple websites. There’s also a small chance this came about from phishing, but very unlikely.

If you reuse your password anywhere then it could have been compromised from there. Check your email address(es) on: https://haveibeenpwned.com/ and start using different passwords everywhere

Nope the password in question was only used on Netflix, and it was an easy one

You’ve answered your own question here. You used a weak password so they managed to crack it and get in

You shouldn’t knowingly use a weak password on anything.

Not really. How did they get the email in the first place knowing it had netflix associated to it

Your account was compromised due to a poor password, you said this. Where they got the email address from is irrelevant!

I can guarantee nobody on here hacked your account so we can’t answer your question of where they got your email address from.

Netflix is really popular. I wouldn’t be surprised if they tried random addresses and passwords until one worked.

Are you using any third party netflix apps? They may have harvested your login, or you may have clicked on s fake login page by mistake.

Seeing as you’ve changed it and only used it for Netflix what was the old password?

There are lists of the top 100 passwords

Fairly easy if you get an email to write a program to cycle through those passwords

As to where they got the email it is possible Netflix had a leak of emails like twitter did not too long ago. Not always reported especially if things like bank details not leaked

Did you see @glasgow 's advice above? Check your email with the haveibeenpwned service. Passwords are irrelevant. Leaked email addresses attract people who then apply these email addresses into popular services using passwords which, in your own words, are “easy ones”.

It is easier than people think to gain access to online services with someone else’s credentials. Once they do - without any warning to the actual user - the actual user needs a big paddle to get out of creek faster than fast.

“Hard” passwords and 2FA are needed. If you purposely make it hard for yourself to log into an online service, it’ll be even harder for someone else to get in there.

It’s also worth using a password manager, that way all your passwords can be difficult and you don’t need to remember them.

Use long strings of words with altered case and swap out letters for example use Z for S as this stops dictionary attacks.

If they have your account, they now have your email, a phone number of yours, possibly your mobile. If it’s your mobile, contact your provider as your at risk of a SIM swap attack. Depending on how you pay, they have some of your credit card details and possibly your address. If you’re not already, use PayPal with 2 factor.

I’m curious as to why you would ever use an “easy” password for anything?!?

Laziness, ease of remembering, lack of a password manager. Lots of reasons. Not that that’s a good excuse

Have you tried entering a 20 char password with special symbols on a TV remote?.. It’s painful…

My LG Tv doesn’t remember the password even when you click remember. It was so frustrating. Luckily sky have added a Netflix app on SkyQ and that seems to remember it so I’ve only had to do it once since then