Last night, I logged into my Netflix account. When I reached the page asking which account I’d like to use, this is what I saw:
That is a little scary. Someone created a random profile on my Netflix account that says “I know where you live”. I didn’t create this account, and neither did anyone in my household.
As a cybersecurity expert that is very familiar with the feasibility of hacking accounts, I immediately took action to protect myself. I deleted that account, changed my password, and forced Netflix to be logged out on every device that it was connected to. But, as this is a bit startling, I realized I needed to dig a little further.
How could this have happened? Why wasn’t I notified sooner?
There are a few scenarios that could have taken place.
First, someone could have guessed my password. Although that’s unlikely because I am a security pro and my passwords are always random characters. Second, my password could have been stolen in a past breach and used to guess my login to Netflix. Third, someone in my extended family who has had access to a device connected to my Netflix could have pulled a prank. (If this is the case, they will find themselves kindly escorted out of their coveted Netflix account spot... if ya know, ya know)
At this point, if you aren’t interested in reading the details of how I investigated each, then here is the quick takeaway:
And, if you don't know where to start, here are a couple of tools that helped me:
Let’s look more into the first option. Could someone have guessed my password? Possibly! (But again, I'm a boss, so that's highly unlikely.)
This password strength tester indicated that a high powered computer could guess my password in 2 hours. But, this would require Netflix to allow unlimited unsuccessful login attempts, which they don't. Netflix is a big company with a sophisticated cybersecurity program. They limit your login attempts and lockout your account if you try numerous times. So, this probably didn’t happen.
It’s a little more likely that someone used data from a past breach to make a smarter guess and log into my account. After a little searching, I came across haveibeenpwned; a site that aggregates data from the dark web about past breaches and data dumps. You can type in your email address for free and see if you’ve been “pwned”.
Turns out, I’ve been pwned! Shoot. That means that my old password, regardless of how complex t was, can be guessed if an attacker gets a hold of one of these lists. If you see that you have been pwned, the best thing to do is change every password on every account that you use. Also make sure that, whenever possible, you don’t repeat passwords. This is an absolute must as an attacker could take control of multiple accounts just by guessing a single password.
Luckily, I figured out that the 3rd scenario was correct. Someone in my extended family pulled a prank and kicked themselves off of our little Netflix island.
All is okay here, but are you confident on your end?
Take this as a gentle reminder that you should check. Any opportunity to further protect your family and their online lives is time well spent.