Woman watching movie on laptop

How stolen streaming logins result in torrents of legal action

If your streaming credentials are stolen, how can they be misused? Someone may try to sell them on, or perhaps roll them into a data dump doomed to lurk online forever more. Perhaps someone may try to reuse your passwords for other services associated with your email, or even the email itself.

However, did you stop to consider that the thief may be using your logins to accidentally or otherwise drop you into a spot of legal trouble? Probably not. Shall we take a look?

A stream of legal action

TorrentFreak reports that a user turned staff member of a site called DanishBytes has been sentenced to three months’ probation and 80 hours of community service. The user’s IT equipment has also been removed, on account of getting up to mischief on the file sharing site. The real kicker is what this individual was doing to get themselves into this much trouble in the first place.

From login grabbing to content piracy

In this case, the individual in question was obtaining stolen logins through “hacking” according to reports (one would assume this to most likely be phishing, as opposed to hacking anything). They also downloaded credentials collected by others. The logins belonged to account holders on both the Netflix and TV 2 Play platforms.

The DanishBytes staffer would then upload content to the torrent site taken from the stolen accounts, potentially associating unwitting users with the uploads depending on the content tracking or anti-piracy measures used by the affected services. It’s worth noting that in this case specifically, anti-piracy group Rights Alliance did not, or could not, confirm if copies were traced via tracking technology such as watermarks.

Even so, there’s no easy way to know which organisation does or does not embed identification or tracking of some form or another into streamed content. Indeed, some streaming services make it difficult to even take a screenshot of a show you’re watching, giving would-be photographers nothing but a black screen.

The long arm of copyright law

Copyright holders take this kind of thing very seriously. I suspect many people wouldn’t even know where to begin should they be told their streaming login had been used to upload content without permission. Again, we must stress that there’s no indication here of this happening and everyone involved seems to understand that the fault is entirely with the login swiping content uploader.

In other words, if your login was compromised and used to grab the material later torrented, you shouldn’t worry. For the time being, it’s mainly something to think about.

What are your security options for streaming services?

It’s never a bad time to brush up on some of the security options available for your streaming service of choice. Here are a few comments and suggestions for some of the biggest streaming services around: Netflix, Disney+, and Paramount+.

Netflix

  • There is no 2-factor authentication (2FA) at time of writing.

  • Given the lack of 2FA, you should consider adding your Netflix password to a password manager.

  • You can recover lost login details via email (expires after 24 hours), or SMS (expires after 20 minutes). You can also recover account information via billing details if the option is available in your region. If it all goes wrong, then at the very least you should be fine to recover via SMS, as the phisher is not likely to have physical possession of your mobile device.

  • If you have not been phished, but you’ve misplaced a logged in device, you can sign out via your account page.

Disney+

  • Like Netflix, there is currently no 2FA option available.

  • Should your Disney+ login be stolen, you can reset via a 6-digit code which will be sent to your email address. This code has a tight expiration time of 15 minutes. If your email address reuses your Disney+ password, there’s a chance the attacker may already have control of both your Disney+ login and your email account. You’d need to try and reset your password for the streaming service as quickly as possible, and then change your email login too.

  • If all else fails, Disney suggests contacting customer support.

Paramount+

  • There is, again, no 2FA available here.

  • Security information generally seems to mainly focus on generic password reset options and parental controls. There may well be additional security options made available down the line, but for now the best advice is to ensure you don’t use an easy to guess password and make use of a password manager.

Amazon Prime Video

  • Amazon video content has a lot of angles to consider, as you can (for example) purchase standalone titles without having a Prime account. In essence, everything is tied to your Amazon account, and Amazon makes it clear when you’re dealing with third-parties. Either way, payments still go through via Amazon’s one click payment system in those situations.

  • Unlike many other major streaming services, Amazon allows you to make use of 2FA to help keep your login more secure. Once set up, logging in or trying to access your account data will involve sending a One Time Password (OTP) to your mobile, in order for you to view it or simply sign in. You’ll also be sent notification emails, depending on the type of sign in or data request.

  • If you’d rather use 2FA with something other than your mobile, Amazon will also let you use an authenticator app.

  • If you no longer have access to your mobile or email address associated with your account, never fear. As with Disney+, you’re able to contact customer service and try to resolve the problem that way.

There’s a multitude of streaming services available outside of the above four, and not a lot of consistency in terms of available options or missing features. They’re all pretty much doing their own thing, and you may find you have to add some additional security tools and practices of your own to complement the options on offer from your paid subscriptions. No matter what you’re watching, this story is a valuable reminder that there’s people out there who will use your logins in all sorts of ways you couldn’t possibly predict. 


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

ABOUT THE AUTHOR

Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.