From the outside, Netflix's ban on password sharing may seem like a net positive for cybersecurity, but data is already emerging that suggests there are some downsides too — specifically, some streamers have ditched Netflix in favor of Dark Web offerings.
On Feb. 8, in preparation for the US and other large markets, Netflix implemented its new household policy in Canada, New Zealand, Portugal, and Spain. The blowback came hard and fast: By the end of the following month, over 1 million Spanish subscribers had cut the cord, the UK analytics firm Kantar reported.
Where did all those viewers go? Surely not Hulu …
In fact, Check Point researchers soon discovered that Netflix's new policy "has created an ideal scenario for cybercriminals." Former account holders who weren't willing to shell out the extra $7.99 per month to continue their service were turning to steeply discounted deals from the Internet's underbelly, they explained in a May 24 blog post.
On Telegram channels, hackers have promoted "full access" to Netflix for just 190 Indian rupees, equivalent to around $2.30 or €2.15. They could offer such discounts, of course, because they'd hijacked those accounts through compromised user credentials.
As one might expect, these deals weren't as good as they seemed. "These cybercriminals may not uphold their end of the bargain." Check Point researchers said, noting that they have "encountered instances where users either failed to gain access or had their access blocked after a few days, weeks, or months."
Netflix Policy Changes Offer Phishing Opps
Beyond selling hijacked accounts, hackers have been taking advantage of the newsiness around the Netflix story, and the vulnerable position users are put in when major changes occur to their account access, to launch social engineering attacks.
"We saw phishing emails with subjects such as 'Your suspension notification,' 'Update required — Netflix account on hold,' and 'Your subscription is about to expire' being sent from email addresses pretending to be Netflix," says Omer Dembinsky, data group manager at Check Point Software.
Users baited by these timely scams might have ended up at a phishing domain such as "netflix-update-gate2[.]com," he says, where entering the credentials meant handing their accounts over to attackers, who could then resell those accounts on the Dark Web.
Ironically, the best way to prevent secondhand Netflix account trafficking is to follow Netflix's new guidelines. As the researchers advised in their blog post, "it is now time for users to implement the measures that Netflix previously criticized and restrict shared access to their accounts."
The moral of the story? Even with the best of intentions, it's not always easy to predict how a business's policy change will affect its users. Business-to-consumer (B2C) providers should be aware that there can be unintended cybersecurity consequences. In this case, it remains to be seen whether Netflix's password-sharing ban will be net positive or negative for security in the long run.