In earlier generations, individuals seeking to access in-house entertainment without paying resorted to measures such as illegal cable hookups or downloading mp3s from Napster. Nowadays, as content is delivered on-demand through online streaming services, the only thing preventing an aspiring viewer from reaching massive libraries of content is a legitimate username and password.
Anyone even marginally familiar with the dark web knows that credentials for popular streaming services are shared widely on forums and paste sites. Threat actors harvest them through credential stuffing attacks and then distribute them for free or sell them for several cents apiece.
A post offering 1000+ Netflix accounts
With so many credentials available, we attempted to discover how many Netflix and Disney+ accounts were shared from January 2020 through March 2021.
We calculated the number of accounts that posts advertised to be sharing/selling, as well as the number of unique usernames and passwords that we were able to verify, such as in the post below.
Netflix usernames and passwords on a paste site
Our count of advertised accounts can be seen as a maximum and verified accounts, a minimum, in the count of compromised accounts.
Our investigation found 805,085 Netflix and 596,502 Disney advertised accounts, corresponding to 0.39% of all Netflix and 0.63% of all Disney+ accounts.
There were 114,491 Netflix and 106,424 Disney+ unique verified accounts. This means that at least 1 out of every 1,650 Netflix (0.061%) accounts and 1 out of every 714 Disney+ accounts (0.139%) were leaked to the deep and dark web in 2020.
Both metrics were very volatile from month to month. We attribute this to several factors: Due to COVID lockdowns, the supply and demand for Netflix and Disney+ accounts peaked in March-May 2020, then reverted as the year progressed.
Despite a slight uptick in the fall, overall numbers trended downwards as content providers presumably improved defensive measures. In November, the numbers dropped precipitously when a popular site for posting credentials went down.
From a defender’s perspective, this offers several opportunities to frustrate the supply chain of account compromise.
Account providers—whether streaming services or banks—can take measures to disrupt the procurement, distribution, and consumption of compromised accounts.
This includes preventing password reuse, blocking suspicious login attempts, and requiring more stringent authentication (MFA). They can also monitor distribution channels on the deep and dark web to immediately lock down any account whose credentials are shared.
In this study, it appears that a mix of factors drastically reduced the number of available Netflix and Disney+ accounts.
However, we do not anticipate that this victory is decisive and permanent.
History tells us that adversaries will adapt and develop new tactics, techniques, and procedures. In the near future, it is likely that actors will discover a new distribution method.
Sooner or later, they will also find a new way to circumvent account protection measures, such as location and hardware spoofing.
Only continued monitoring and agility will allow security engineers to detect and outwit adversaries when the next round arrives.