
Ask HN: My Netflix got hacked – I found out who sold my credentials. What now? - dutchbrit
So, my Netflix account got hacked. Some of the profiles in my account were removed so I lost quite a bit of information on where I was with certain series. Anyway, with a bit of &#x27;research&#x27; I managed to track down who sold my login information (Name &amp; address). What&#x27;s the best thing to do with this information?<p>Ps. I live in The Netherlands. Person who sold my credentails lives in The Netherlands too.
======
scrumper
I apologize if this is a stupid suggestion, but have you tried the Dutch
police? Very probably they have a cybercrime division, and (perhaps less
probably) your thief may be part of a wider ring, or a prolific offender who's
currently under investigation.

Other than losing your place in your various series, have you suffered any
other loss or harm as a result of your account breach?

~~~
dutchbrit
Definitely not a stupid suggestion - I haven't contacted the police yet, no. I
was stuck between contacting this person directly to give him a good scare
(maybe he'd reconsider what he's doing) or contacting the police, or passing
on the info directly to Netflix.

~~~
teh_klev
If it was me I'd contact both the police and Netflix. Let them give this
person a good scare. Doing that yourself might have unintended consequences
such as acts of violence against you or your property.

~~~
hoopism
I am not sure Netflix would give a crap...

They'd want you to change your password to prevent it... but you're supplying
them with a random name and address... pretty sure they aren't interested
taking it on faith that that person is responsible and then attempting any
intervention.

I would also be fearful of living in any city where Netflix theft is handled
with any serious police resources.

------
hoopism
Hacking a netflix account just seems odd... to what end?

And if you do get credentials, why are you then deleting accounts? Locking the
person out is no use... they'll just cancel. Presumably you don't have 8 bucks
a month to have your own... so you're better off not making any changes and
just enjoying.

So confused.

~~~
patio11
_Hacking a netflix account just seems odd... to what end?_

They're sold to people at a discount relative to Netflix's standard pricing --
e.g. $20 (or BTC equivalent) for 1 year of service. The customers don't always
understand that they're paying a thief/fence for stolen goods.

~~~
jordsmi
Not even that.. You can buy netflix logins for $2 a piece

~~~
hoopism
Looked into this because I have never heard of it.

Based on some forums it appears that often stolen credit cards are used to buy
redeemable codes. Those codes are then sold for far less... Basically washing
the stolen CCs.

Hacking individual accounts seems much more difficult / less rewarding
financially.

~~~
jordsmi
People sell accounts that are from phishers and botnets. Which is mostly less
work than using stolen CCs

You can buy the accounts for $2 or you can pay $20 for unlimited accounts.
They sell programs that you click a button and it just gives you another
hacked account from their database.

------
mind_heist
dutchbrit - Just before things blow up ; it might be useful to recollect what
other services use the same username / password ( and fix them all as well ).
Mails / Banking / Wealth Management ( like personal capital , wealth front ,
Mint etc ) and Money Transfer ( Western Union etc) , online shopping accounts
that have saved information of your credit card - And Change the password for
all of those too.

If you are a programmer - make sure no one logged into any of your AWS ( or
any such public cloud accounts) and generated another pair of keys. You might
not realize anything now , but the attack might come when you totally dont
expect it. They might spin up instances and have a few 1000 $ swiped on your
card. ( Amazon will still charge you in these scenarios )

~~~
dutchbrit
Thanks - it was a password I stopped using a while ago and never used for
anything important - only billable thing it was linked to was Netflix.

------
logn
I disagree with every commenter here. At most, notify Netflix. Why make a
mountain out of a mole hill? You lost some viewing history and having your
personal account invaded is quite unsettling. But it's just a movie watching
service. Nothing was stolen and no one was hurt.

This reminds me of a joke in a Simpson's episode, "I thumb through your
magazines"
[https://www.tumblr.com/search/i%20thumb%20through%20your%20m...](https://www.tumblr.com/search/i%20thumb%20through%20your%20magazines)

------
pbhjpbhj
The "research" was completely legal, right. Not involving accessing or using
computers you didn't have explicit access to access? If not then you'll
probably be considered as guilty as the cracker you were chasing if
Netherlands has something akin to the UK Computer Misuse Act.

I'd hold off contacting the EC3 if I were you.

~~~
dutchbrit
My research was perfectly legal, yes. I have passed on the information to
Netflix.

------
gnu8
Go to his house and punch him in his goddamn face.

------
mind_heist
You mentioned that they got rid of a lot of profile information ( for all we
know, that person might simply be interested in having you Memento'ed ) (ie)
Just delete all you stuff ( mails , foursquare checkins , instagram pics ,
facebook posts , last.fm scrobbles , open table reservations , evernote saved
articles , pocket saved articles ).

This is not just a loss of your netflix password . It probably leaked a ton of
information about you , your password pattern ! I bet you have the same
password for atleast a few more services. You have to protect them .

~~~
dutchbrit
I have 5 profiles on netflix - only the 2 last ones were changed - not sure if
they were renamed or if they were deleted and2 new ones were added - my own
profile was left alone.

------
jpetersonmn
Reset your password an move on. What's the point of pursuing this?

~~~
mind_heist
I think , he is now a potential subject for a larger "identity theft" \-
depending on how meticulous he has been with respect to passwords for other
services.

The password could have probably been used for Dropbox , Evernote , and even
mail(work and personal) - now making him completely vulnerable to a slew of
attacks !

This is not as simple as changing password for netflix and walking away.

~~~
jpetersonmn
If you use the same passwords for all online accounts in 2015, you should
probably have the keys to the interweb taken away.

------
relaunched
It's not going to be very satisfying, but report it to
[http://www.fbi.gov/report-threats-and-crime](http://www.fbi.gov/report-
threats-and-crime)

If there are a series of incidents connected to the same event/person, it may
get prioritized. You can also reach out to your local FBI field office
[http://www.fbi.gov/contact-us/field](http://www.fbi.gov/contact-us/field)

It sucks, but it's a juice worth the squeeze problem.

~~~
kstrauser
I don't think the FBI will do much in the Netherlands.

~~~
jacquesm
The FBI have a permanent liaison with the dutch cybercrime division. Nice guy
and quite competent.

~~~
pbhjpbhj
... and he handles Netflix account fraud?

------
henpa
For those that don't understand why someone would hack a netflix account,
search "netflix" at fiverr.com and you'd get an idea why!

[https://www.fiverr.com/search/gigs?utf8=%E2%9C%93&search_in=...](https://www.fiverr.com/search/gigs?utf8=%E2%9C%93&search_in=everywhere&query=netflix&page=1&layout=auto)

~~~
Moter8
That search... shows up nothing?

~~~
malfist
I found NoScript was interfering with it. You've got to let their site and
their site's CDN through.

------
jackmaney
Have you contacted his ISP? It probably won't result in anything more than a
sternly worded letter, but you could get lucky and get him dropped from his
ISP (and maybe effectively cut off from home internet service unless he moves?
Dunno if most ISPs in the Netherlands are effectively local monopolies like
they are in the US).

------
inovica
Could this be an isolated case and is this someone you know? Sorry to ask but
could it be someone with a grudge? How did you find out who sold it etc - I
think a bit more information would be useful

~~~
dutchbrit
I don't know him and there are 1000+ accounts affected. I notified Netflix - I
even have all the other credentials. I passed them all emails + passwords and
told them to email all the affected customers. This was 5 hours ago, and I'm
yet to receive an email. I will email these people myself within 48 hours if
Netflix hasn't done so themselves.

~~~
inovica
I'd wait before emailing everyone. You've done the right thing approaching
Netflix. Much like banks, I'm sure they will not want the publicity so
hopefully they will work with you and the affected accounts. I'm hoping that
the passwords are not in plain text though?

~~~
dutchbrit
These passwords are in plaintext.

------
thissideup
How did they get your account information?

~~~
dutchbrit
I really don't know. The only thing I know is that my email account connected
to my Netflix was not compromised. There was a big list (1000+ accounts) that
was for sale - I have this list in my possession and have passed it on to
Netflix. Waiting for them to notify customers but yet to receive an email
(notified Netflix 5 hours ago).

~~~
janesvilleseo
I wonder if my account is in that list. I got my account taken over by a
hacker close to a year ago. I had to call and get it reset. The only way I
knew for sure it was hacked was because the devices they listed contained 1
that I did not own.

I have been a 'victim' a few times ever since the LinkedIn and Adobe brecaches
awhile ago. It even happened as early as 2 weeks back. It's becuause I'm a
fool and use the same password multiple times. Now, I don't going forward.

~~~
dutchbrit
Email me - sam.granger@gmail.com and I will check for you.

~~~
Mandatum
Might be a better idea suggesting users search for their email address, rather
than contacting you personally.. I'm able to find the site with yours..

The information has been indexed as of 5 days ago. Credited to
"@LulZSecSecurity"

------
gouggoug
Contacting the police might be your best move here.

Out of curiosity, how did you track him/her down?

~~~
dutchbrit
By Googling his username (and I'm 100% sure I have the correct person) :)

------
skynetv2
maybe

[http://www.justice.gov/criminal/cybercrime/reporting.html](http://www.justice.gov/criminal/cybercrime/reporting.html)

and also your local police department.

~~~
dutchbrit
Sorry, I should of mentioned, I live in The Netherlands - the person that sold
my credentials does too.

~~~
dragonwriter
Well, I'm sure there are law enforcement offices that address cybercrime in
the Netherlands -- though _Netflix_ is in the US, and that might be sufficient
nexus for the US government to investigate, even if they might end up turning
over the information they gather to local authorities where the perpetrators
are for prosecution.

