My Netflix Account was Hacked … Again

Someone Hijacked My Netflix Account

Several someones, perhaps. They had the gall to upgrade my account from 2 to 4 screens. They also renamed two of my “Who’s Watching” profiles to “Hide” and “hide”. Still not sure what that accomplishes.

This was surprising for a few reasons:

  • Only my wife and I have access to the password for Netflix.
  • I use very strong, random passwords generated by my favorite secure password manager, LastPass.
  • My LastPass account is secured by a very strong password and 2-factor authentication.
  • Any password recovery attempts would send an email to my Gmail account, which requires a strong password and is also protected by 2-factor auth.
  • Three days ago, I received a warning from Netflix because they noted suspicious activity. They told me they reset my password. I then logged in and and changed it myself, again using a strong password generated by LastPass.

Yet yesterday, I received an email from Netflix that my account was upgraded without my intervention.

How To Check If Your Netflix is Hacked

I spent a good 20 minutes batting questions back and forth with Netflix customer service over chat.

We took a look at the My Activity page. You might want to do the same. It shows everything you’ve been watching. If you see anything unusual in there, click the link at the top named See recent account access.

The Recent Account Access page shows you every IP address and country that’s accessing your account.

I had entries from Germany, Italy, and all over the US.

2016-11-19-16_38_04-netflix

What To Do If Your Netflix is Hacked

Netflix customer support told me to change my password, yet again. I changed my password to a 60-character random value, the maximum allowed.

They also told me to go into My Account > Settings and click on Sign out of all devices.

They assured me that this would solve the problem.

It’s been 2 days, and there’s been no further access.

How Do I Think My Netflix Got Hacked?

I don’t know for sure, there are many possibilities.

My home network could be infiltrated. Hoping it’s not that.

I didn’t always use different, strong passwords for every single service. Years ago, when I signed up for Netflix, I used a pattern where I’d use a non-dictionary word or phrase, and suffix it with the service name. So perhaps it’d be something like “gr8tstuff@netflix”.

I’m guessing my email and a variation of this password showed up in a data breach somewhere. Let’s say it was the Yahoo! breach, which recently leaked 500 million accounts and passwords.

If my account at Yahoo was protected by a password like “gr8tstuff@yahoo”, then a clever hacker would see that I’m following the pattern of a known string followed by the service name. They could easily guess that I might also have a Facebook account protected by “gr8stuff@facebook” and a Netflix account with “gr8tstuff@netflix”.

Or perhaps Netflix was hacked a while back, and my old password was used by many individuals until I changed it recently.

In any case, just changing my password wasn’t enough to kick out the interlopers using my old Netflix password. Their devices still had access.

How To Log Into Netflix on Roku with a Really Long Password

I’d rather sled bare-back on a giant cheese grater than type 60 random characters into a Roku with a remote control. Let alone 3 Rokus.

Roku has Android and iOS apps, and they support typing (and copy-pasting) using your smartphone or tablet keyboard. This is a life-saver.

Here’s the official Roku app in the Google Play Store. Here’s the official Roku app in the iTunes App Store. The iOS app is hard to find using an iPad. You have to change your filter from “iPad Only” apps to “iPhone Only” apps.

Once you have the app talking to your Rokus:

  • Navigate to the Netflix login screen on the Roku. Enter your email.
  • Open the Roku app on your phone or tablet and select the Roku device you want to control. Click the Remote button to open the virtual remote control.
  • In the Roku app, tap the keyboard icon near the bottom. This should open a text box and show the virtual keyboard.
  • Switch to your password manager and highlight/copy your password.
  • Switch back to the Roku app.
  • Paste the password into the text field in the Roku app. Watch all the characters get typed into the Roku.
  • Realize that pasting 60 characters in a row doesn’t work reliably and login is failing.
  • Divide your password up into 6 groups of 10 characters.
  • Flip back and forth between apps pasting 10 characters at a time.
  • Keep doing this until it works.
  • It’s still better than typing 60 random characters.

What Could Netflix Do Better?

  • Require re-authentication to change service levels.
  • Make sure old passwords don’t work for changing service levels.
  • Allow users to restrict viewing to known countries.

Is My Netflix Account Secure Now?

I don’t know. Time will tell.

Advertisements

Published by

Larry Silverman

Larry Silverman is a father and husband, software developer, small-business owner, DIY tinkerer, occasional musician, continuous learner, free thinker, despiser of yard work and comma abuser.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s