Blog Threat advisories

Proofpoint: Who’s Using Your Streaming Account? Protect Yourself from Credential Theft

6 min to read
Proofpoint: Who’s Using Your Streaming Account? Protect Yourself from Credential Theft

(The blog post was originally published on March 23, 2020 by our partner, Proofpoint on their page)


Video and audio streaming services continue to disrupt the entertainment industry. Services like NetflixHuluDisney+Spotify, and Apple Music have revolutionized the way we access and consume movies, TV shows, and music. This massive shift has not gone unnoticed by attackers, who have found a way to steal consumers’ valid streaming credentials and sell them for extremely discounted prices. When this happens, many times the account holders don’t know that they’re sharing their accounts with malicious actors/unauthorized users.

Proofpoint researchers have looked into this problem more closely to detail how this is happening and what you can do to protect your accounts.

How Streaming Credentials are Stolen

There are three ways attackers steal valid streaming service credentials: malware, credential phishing, and previously stolen credentials combined with password reuse.


Malware encompasses any type of malicious code that is typically delivered via email or websites and then installed on systems and servers with the aim of disrupting, disabling or taking control of these computing devices. To dodge detection, attackers will hide malware in files, mask it to look like legitimate applications or use other obfuscation techniques to bypass security controls and user detection.

Certain types of malware are designed to search and steal account information. These keyloggers and “information stealers”, among others, have been around for years and are regularly used to steal usernames, passwords, and credit card information. This means if your system or device becomes infected, attackers are able to steal your credentials along with other valuable information.

Credential Phishing

We often see threat actors launch credential phish attacks to access valid streaming service credentials. Credential phishing typically starts with an email that claims there’s an issue with your streaming account that requires your immediate attention, like a payment issue or an update to your billing address, and tells you to click the link to go into your account and correct it.

If you click the link, you’re taken to a site that’s made up to look like the official site’s home page. These sites are often near-perfect copies of the legitimate sites, which can make it hard to distinguish from the legitimate sites.

In Figure 1 you can see an example of a Disney+ credential phishing site.

Figure 1 Disney+ Credential Phishing Site

In Figure 2 you can see a Spotify credential phishing site.

Figure 2 Spotify Credential Phishing Site

In Figure 3 you can see a Netflix credential phishing site.

Figure 3 Netflix Credential Phishing Site

Once at the fake home page, you are prompted to enter your username and password. At that point the attackers have stolen your legitimate information and can use that to access your account just like you.

Sites not only try to steal your credentials, but they’ll also put in place credit card entry pages to try and steal your credit card information as well.

In Figure 4 you can see a fake Spotify site set up to steal credit card information.

Figure 4 Spotify Credit Card Phishing Site

In Figure 5 you can see a fake Netflix site set up to steal credit card information.

Figure 5 Netflix Credit Card Phishing Site

As you can see, the quality of these sites is incredibly detailed and closely reflect the real streaming sites. The Netflix credit card phishing site even includes a lock and the words “secure server” to help the intended victim feel this is legitimate and safe.

Previously Stolen Credentials/Password Reuse

Attackers also gain access to streaming accounts through a combination of previously stolen credentials and password reuse, a practice sometimes referred to as “credential stuffing.” In these cases, the streaming account information isn’t stolen directly but instead attackers take usernames and passwords that have been previously stolen elsewhere and try them against streaming services. If someone has had their credentials stolen and is using that same username and password that was stolen on a streaming site, the attackers can access to that streaming account.

What Happens with Stolen Streaming Credentials

Attackers have recognized that there’s a huge demand for access to streaming content without having to pay full price. At this point there is a very mature, operationalized market for stolen streaming credentials.

When attackers get your streaming credentials, they sell them to others who will use them to log on and piggyback off of your streaming services, likely without you even knowing it.

In Figure 6 you can see an online shop offering stolen streaming Disney+ credentials for sale.

Figure 6 Stolen Disney Plus Credentials for Sale

In Figure 7 you can see the checkout process at the same online shop.

Figure 7 Stolen Disney+ Credentials at Checkout

It’s worth noting that this is a relatively sophisticated online store process. There are multiple options for sale, the seller offers a warranty and even contact information in case of any problems.

These stolen credentials are being sold for a fraction of the price of a legitimate subscription and emphasizes that the buyer cannot change the username or password on the account as it will void the warranty. More importantly, changing the login credentials would also alert the legitimate account holder that they’ve lost control of their account and likely start a recovery process that would lock the unauthorized user out. Attackers that abuse credentials do absolutely everything possible to avoid detection because that would end their ability to use these stolen credentials.

Protecting your Streaming Account

Most major streaming services have options within their settings to manage devices connected with the account. To immediately confirm if you have unauthorized users on your streaming accounts, we recommend that you log into your settings to review recent streaming activity associated with the account.

 For example, in Figure 8 you can see the activity controls in Netflix.

Figure 8 Netflix Activity Controls

From this screen, you can view previous activity and force all devices associated with your account to sign out. It’s important to note that if you see unauthorized activity you should change your password to a new, strong password BEFORE you sign out of these devices, otherwise attackers will be able to continue using the same credentials to access your account.

The best ways you can proactively protect your streaming credentials are to keep your operating system, browsers and plug-ins up to date and never click links embedded in emails or attachments to visit a streaming site, it is always best to type a web address directly into the web browser yourself.  It is also important to always use a unique strong password for each of your streaming sites, ideally in conjunction with a password manager.

Additionally, many streaming services now provide an option that notifies you anytime a new device connects to your account. Selecting this option will allow you to verify that each device is authorized and take action if it is not.


Streaming services are a valuable modern convenience and attackers have come to recognize their value as well. Credential theft and account piggybacking are an increasing problem for streaming services and their legitimate customers. Fortunately, there are steps available that you can immediately take to prevent and remedy this issue.

Share this article

Upcoming event

Black Hat MEA 2024

  • KSA
  • Riyadh