My Netflix Account was Hacked … Again

Someone Hijacked My Netflix Account

Several someones, perhaps. They had the gall to upgrade my account from 2 to 4 screens. They also renamed two of my “Who’s Watching” profiles to “Hide” and “hide”. Still not sure what that accomplishes.

This was surprising for a few reasons:

  • Only my wife and I have access to the password for Netflix.
  • I use very strong, random passwords generated by my favorite secure password manager, LastPass.
  • My LastPass account is secured by a very strong password and 2-factor authentication.
  • Any password recovery attempts would send an email to my Gmail account, which requires a strong password and is also protected by 2-factor auth.
  • Three days ago, I received a warning from Netflix because they noted suspicious activity. They told me they reset my password. I then logged in and and changed it myself, again using a strong password generated by LastPass.

Yet yesterday, I received an email from Netflix that my account was upgraded without my intervention.

How To Check If Your Netflix is Hacked

I spent a good 20 minutes batting questions back and forth with Netflix customer service over chat.

We took a look at the My Activity page. You might want to do the same. It shows everything you’ve been watching. If you see anything unusual in there, click the link at the top named See recent account access.

The Recent Account Access page shows you every IP address and country that’s accessing your account.

I had entries from Germany, Italy, and all over the US.


What To Do If Your Netflix is Hacked

Netflix customer support told me to change my password, yet again. I changed my password to a 60-character random value, the maximum allowed.

They also told me to go into My Account > Settings and click on Sign out of all devices.

They assured me that this would solve the problem.

It’s been 2 days, and there’s been no further access.

How Do I Think My Netflix Got Hacked?

I don’t know for sure, there are many possibilities.

My home network could be infiltrated. Hoping it’s not that.

I didn’t always use different, strong passwords for every single service. Years ago, when I signed up for Netflix, I used a pattern where I’d use a non-dictionary word or phrase, and suffix it with the service name. So perhaps it’d be something like “gr8tstuff@netflix”.

I’m guessing my email and a variation of this password showed up in a data breach somewhere. Let’s say it was the Yahoo! breach, which recently leaked 500 million accounts and passwords.

If my account at Yahoo was protected by a password like “gr8tstuff@yahoo”, then a clever hacker would see that I’m following the pattern of a known string followed by the service name. They could easily guess that I might also have a Facebook account protected by “gr8stuff@facebook” and a Netflix account with “gr8tstuff@netflix”.

Or perhaps Netflix was hacked a while back, and my old password was used by many individuals until I changed it recently.

In any case, just changing my password wasn’t enough to kick out the interlopers using my old Netflix password. Their devices still had access.

How To Log Into Netflix on Roku with a Really Long Password

I’d rather sled bare-back on a giant cheese grater than type 60 random characters into a Roku with a remote control. Let alone 3 Rokus.

Roku has Android and iOS apps, and they support typing (and copy-pasting) using your smartphone or tablet keyboard. This is a life-saver.

Here’s the official Roku app in the Google Play Store. Here’s the official Roku app in the iTunes App Store. The iOS app is hard to find using an iPad. You have to change your filter from “iPad Only” apps to “iPhone Only” apps.

Once you have the app talking to your Rokus:

  • Navigate to the Netflix login screen on the Roku. Enter your email.
  • Open the Roku app on your phone or tablet and select the Roku device you want to control. Click the Remote button to open the virtual remote control.
  • In the Roku app, tap the keyboard icon near the bottom. This should open a text box and show the virtual keyboard.
  • Switch to your password manager and highlight/copy your password.
  • Switch back to the Roku app.
  • Paste the password into the text field in the Roku app. Watch all the characters get typed into the Roku.
  • Realize that pasting 60 characters in a row doesn’t work reliably and login is failing.
  • Divide your password up into 6 groups of 10 characters.
  • Flip back and forth between apps pasting 10 characters at a time.
  • Keep doing this until it works.
  • It’s still better than typing 60 random characters.

What Could Netflix Do Better?

  • Require re-authentication to change service levels.
  • Make sure old passwords don’t work for changing service levels.
  • Allow users to restrict viewing to known countries.

Is My Netflix Account Secure Now?

I don’t know. Time will tell.

Mute the microphone in GoToMeeting using a hotkey and AutoHotKey

My favorite Windows desktop automation utility is AutoHotKey. I use it to fix a variety of annoyances and add functions to applications that I wish the original authors had seen fit to add.

I like being able to mute my microphone quickly using a hotkey combination when using a voice chat app. We use GoToMeeting at work. GoToMeeting doesn’t seem to provide any hotkey capabilities for common operations like muting the microphone.

When in use, the Windows GoToMeeting client presents a control interface that contains common controls like mute/unmute, webcam and screen sharing. It looks like this:

GoToMeeting UI

I tried to use the WindowSpy utility that comes with AutoHotKey to get the window and control information for that microphone mute button. However, it doesn’t appear that the mute button is a gettable control.

So I’ll use AutoHotKey’s ControlClick command to click the microphone mute button for me using X,Y coordinates relative to the window container.

Below is my AHK snippet, which I place within my general AutoHotKey.ini file. It maps Ctrl-Alt-X to click that button. Ctrl-Alt-X is a keyboard combo that I can strike one-handed, but which I won’t accidentally invoke otherwise. You can map it to whatever keyboard combination you like.

I admit the solution is brittle. If GoToMeeting changes their UI such that the coordinates of the mute button change, this will break.  They’ve done it before.

Then again, mapping AHK to window and control IDs isn’t exactly rock solid anyway, so these kinds of fixup scripts are always a little brittle.


; Ctrl-Alt-x toggles mute in GoToMeeting
; SetControlDelay is recommended by AHK to
; improve reliability by avoiding holding
; the mouse button down during the ControlClick.
SetControlDelay -1
; Specifying NA avoids marking the target
; window as active and avoids merging its
; input processing with that of the script, yada yada. RTFM.
ControlClick, X50 Y25, ahk_class G2WShareActionButtons,,,, NA

It’s Not Dead Yet – Fixing the Onkyo TX-SR606 HDMI board

In July 2007, I was in the market for a surround-sound receiver with HDMI support. My research led me to purchase Onkyo receiver, model TX-SR605, from the now-defunct Circuit City. I was very happy with the receiver until 9 months later when it decided that of the two possible operational states, “off” and “on”, it preferred “off” 100% of the time.

It was still under warranty. Circuit City had me bring it to a nearby Onkyo-certified repair center. And there it sat for two months awaiting a part, “Micro Q701”, which never came.

I called Onkyo and raised a storm, and they somehow miraculously found and shipped the part overnight. But it didn’t fix the problem.

After considerable badgering, Onkyo swapped out the 605 with the next model up, the TX-SR606. The TX-SR606 has worked well for the past five years.

This month, we purchased our first Blu-Ray player. While playing our very first Blu-Ray, the receiver would frequently drop the HDMI signal and black out. No Signal, no good.

Apparently the TX-SR606 is notorious for its shoddy HDMI switching board. The internet is full of complaints and some DIY instructions for attempting repairs.  The following sites were very helpful:

As with so many consumer electronics failures, bad capacitors are to blame.

I researched which capacitors to purchase and settled on this item at DigiKey. I needed 5 but bought 10 just in case. The total order was $4.85 and the shipping cost more than the parts.

The parts arrived yesterday, and last night I worked on the receiver.

Of all the repairs I’ve attempted, this was on the easy side. The receiver’s case was easy to remove. The HDMI board was right on top and easily accessible. I was thankful for the tips I’d read regarding disconnecting the ribbon cables without damaging them by pushing down on the white connector.

The work took just about two hours from start to finish. Here are pictures of the modified board with the new capacitors highlighted (click to enlarge).



I tested the Onkyo after re-assembly, and the fix seems to have worked. I successfully played 15 minutes of a Blu-Ray without any dropouts.

There remains a weird problem whereby occasionally, when switching HDMI channels, the screen takes on a purple hue.

As a work around, switching back and forth, or going into the receiver’s Options menu and back, seems to clear it up. I’ll have to research this problem separately.

I Am a Flasher

I love to flash my phone. There, I said it. I’m out.

I’m a tinkerer. I love to learn how everything works. And once I understand how things work, I try to make them just a little bit better.

I currently own a Verizon Samsung Galaxy Nexus (toro). I used it stock for a couple of weeks, and then I rooted it and began exploring alternate ROMs. Verizon was dragging its heels bringing the latest version of the Android operating system to this phone and I wanted to experience the best Google had to offer.

For months, I tried various ROMs and kernels. I’ve probably flashed the phone over a hundred times. I eventually settled on Cyanogenmod 10.1 nightlies and either CM kernel or Franco kernel, depending on mood.

Over time and successive flashes of nightly builds, my phone became inexplicably slower and slower. It would stutter, pause, delay. Very frustrating, and as I was following all the best practices for flashing alternate ROMs, very puzzling.

I was using the same process with my Asus Nexus 7 tablet and its performance was worse than the phone’s.

A fan of the Stack Exchange network of sites, I posted this question to the Android Stack Exchange. I’ll quote from myself here:

I have a Verizon Galaxy Nexus (toro). I am running Cyanogenmod 10.1 ROM nightlies and I use CyanDelta Updater to stay up to date.

For a period of about 3 weeks, I updated to the latest nightly nearly every day using CyanDelta. Sometimes I’d download the full ROM instead of using CyanDelta. During this time, I never wiped the device (aka factory reset). I just applied the new release on top of the old.

Recently, my phone’s performance degraded significantly. There were long delays unlocking, long delays switching apps, long delays doing just about everything. The phone would freeze up, and the OS would ask if I wanted to end a process because it wasn’t responding. My podcatcher would stutter while playing.

Instead of switching to another ROM, I decided to first do a full wipe (factory reset). I used Titanium Backup to back up my user apps and data. In TeamWin Recovery, I did a factory reset, flashed the same CM 10.1 nightly I was running previously, restored my apps using Titanium, signed into accounts, etc.

My phone’s performance has been completely restored. It’s like night and day.

My question is: Why did that work? What is it about applying successive ROM versions that could cause a slowdown that a wipe would fix?

I love my new level of performance, but I also enjoy keeping up with the latest releases. It would seem I can’t have my jelly beans and eat them too. Now I’m reluctant to flash any updates without doing a full wipe.

I didn’t receive any good leads on answers. Every now and then I’d google for solutions. Late last week, I think I may have found a possible answer. I followed up my own question with an answer:

I’ve come up with one potential answer myself: TRIM

Solid state disks (SSDs) and some flash memory require the operating system to perform a kind of housekeeping task to maintain the efficiency of the device.

The operating system command TRIM is explained in this AnandTech article:

Its applicability to certain Android devices, including my Samsung Galaxy Nexus and ASUS Nexus 7 is explained in these XDA Developers threads:

An XDA member wrote an app called LagFix which purports to exercise the TRIM maintenance function, thus restoring write performance for the device.

Since I recently performed a complete factory reset, I’m no longer having performance problems and thus I can’t directly corroborate the purported benefits of LagFix. If I’m in a position where performance is suffering, I may do some benchmarking and see if LagFix improves the situation.

Please be aware if you plan to try LagFix that there are some devices that have chips that do NOT play nice with this utility. These chips have what’s come to be called a BrickBug, and if you run LagFix on one of these devices, you will irrevocably brick your device.

I highly recommend you follow the advice and read the LagFix FAQ. It points to a utility which can tell you if your device contains a chip that may suffer from the BrickBug.

One aspect I haven’t figured out yet is why a factory reset might restore performance. I’d like to figure out whether a factory reset performs a TRIM cleanup. My meager understanding of the TRIM process from my experience using PCs and SSDs is that if the OS doesn’t have integrated TRIM support, you need a separate utility to periodically sweep the disk.

I purchased the pro version of LagFix to support the developer and I have running on a schedule. I’m hoping that’s the end of my performance woes.

Nifty Skype Trick

Here’s a favorite Skype trick of mine. If I know I want to be able to walk around during a meeting, I’ll get Skype loaded up on my Android phone as well as my computer. When the call comes in, both devices ring. I can answer the call on either device. After, I can switch seamlessly, throwing the call back and forth between the two.

I’m not sure if it’s required to have the Android version up and running ahead of time, but I usually do it this way to make sure the call gets registered on the phone if I plan to answer it on the PC.

While in the call on the PC, I locate the call details on the Android device, and tap and hold. Then I can join the call. The call jumps to the phone and hangs up on the PC. The reverse works as well.

I’m not sure yet whether this would work if each device was on a separate network. I’ve only tried it with both on my home wifi.

SpinRite, VMware and Windows 7 or Windows 8

Today, my moderately trusty Windows Home Server HP MediaSmart ex495 started complaining of a disk issue. The built-in repair tools seemed to clear the error code, but when I went to run an error scan using HD Tool Pro, the box locked up.  After a reboot, I saw some SMART errors on the disk.  Time for SpinRite!

SpinRite is a trusted tool for performing hard disk maintenance on magnetic hard drives (not flash drives!).  Typically, one would use SpinRite by creating a boot CD or USB stick and running it on a dedicated PC. While it’s running, you can’t use your PC for anything else. It can take hours to do its job.

My preferred method of running SpinRite is inside a virtual machine on my laptop, using an external USB or eSATA dock to connect the troubled disk. To do this, I’ve created a tiny virtual machine in VMware Workstation 8. When creating it the first time, I booted into the virtual machine’s BIOS to change the order of the boot devices to ensure the ISO is the first boot device. I connect the troubled disk to the VM using the Physical Disk option in VMWare Workstation.

I used this method for some years, until it stopped working after moving to Windows 7. Windows 7 would seem to take a lock on the external disk, and the VM seemed to not be able to connect to the physical disk.

The fix for me is to use the DiskPart command line tool with some specific commands to get Windows to release the physical disk so VMware can use it.

In my case, the disk I needed to operate is Disk 2.

Run an elevated command prompt (as Administrator), then run “diskpart”.  Once in diskpart, issue these commands.

list disk
select disk #
offline disk
attribute disk clear readonly

That should do it. The next time you boot the VM, it should be able to take ownership of the physical disk.

Edit August 26th, 2013:

I just confirmed this technique continues to work on Windows 8.

Tip for saving ink printing airline boarding passes

When I fly Southwest, I print my boarding pass at home.  Southwest must think printer ink flows from every faucet, as they include color ads on every boarding pass.  Thanks, but no thanks.

(By the way, if you’ve ever been curious to know what printer ink costs relative to other common liquids, check out this infographic.)

Here’s my tip to avoid printing out those ads and wasting precious ink. I use Google’s Chrome web browser. I can’t say whether this will work in other browsers, but it just might.

  • You’re on the final boarding pass page, ready to print it out.
  • Do File…Print or Ctrl-P (whatever you please to start the print process)
  • Chrome will bring up a print dialog.
  • Change the “Margins” setting to Custom.
  • Drag the bottom margin up to somewhere around 5.5 inches and let go.
  • The ads should disappear (actually, they’ve landed on Page 2).
  • Change the “Pages” setting from “All” to only print Page 1.
  • Donate ink savings to charity.

p.s. Even better tip — save the boarding pass document to a PDF and send it to your phone or tablet, and save the ink and paper.

Simple Pleasures – Hot Swapping Batteries with the Samsung Galaxy Nexus

I recently switched US cellular carriers from Sprint to Verizon, and Android phones from the Sprint HTC EVO 3D to the Verizon Samsung Galaxy Nexus.

Being a power user, I tend to burn through my battery fairly quickly. With any new phone purchase comes the inevitable buying of extended batteries and external battery chargers.

When power runs low, it’s great to be able to swap in a new battery. I love user-replaceable batteries.  You can argue with me that a non-user-replaceable battery would allow for a design that could incorporate a larger primary battery. On second thought, don’t. It sounds like a boring argument.

It’d be great if I could swap out a battery without needing to shut down the phone first. Why isn’t there a little backup battery or capacitor that makes this possible? Probably lack of space, or desire to keep costs down.  Now, you can just pull the battery (killing the phone), and probably things will be fine, but once in a while I expect doing so will cause some kind of data loss and corruption. I’m a good little user, so I always shut down the phone first.

Here’s the “feature” that some of my past phones have had, my HTC EVO 3D didn’t, and my Galaxy Nexus does. I can plug in the USB charger, yank the battery, and the thing keeps running. So I can hot swap the battery without wasting time shutting down and booting up.

It’s the little things.

Chrome2Phone Hack – Sending arbitrary text

I use KeePass on my PC and KeePassDroid on my Android phone to manage the hundreds of unique passwords for all the sites and services I use. I keep the password database synced using Dropbox on both PC and Android.

I also use Google’s Chrome browser. The Chrome2Phone (C2P) extension is a great way for me to throw links, phone numbers, maps and other info to my phone from the web browser.

Logging into sites and services on the phone can be a pain because of the complexity of the random passwords I use. KeePassDroid is a bit of a speed bump. It occurred to me that I might be able to send a password to my phone’s clipboard using C2P. Ideally, I’d write a plugin for KeePass that could do what C2P does, but I came up with something else.

C2P supports sending text you highlight in a web page to your phone’s clipboard for pasting. If I could get my password into a web page on my PC, I could send it to the phone. I noticed that if I’m on a web page with a textbox, I can paste arbitrary text (like a password) into the textbox, highlight it, right click it, and send it to the phone. I’m security conscious enough to not want to go pasting my passwords into random textboxes hosted on sites I don’t control. With all the javascript flying around out there, the owner of the page could easily grab whatever I put in the textbox and save it for later perusal.  (We’ll set aside the question for now of, “Do you trust C2P enough to use it to send passwords?”)

What I needed was a single text box in a web page that I control and trust. I made the page, saved it on my hard disk, and launched it in a browser. Here’s that file:
<!DOCTYPE html>
<title>Chrome2Phone Hack</title>
<input type="text"/>

But C2P didn’t like the fact that the page was served locally, off my hard disk, and not from a web server.  It refused to show me the standard C2P options in the right-click context menu. Perhaps I’ll suggest a patch to C2P for this in the future. But for now…

I dragged the HTML file to the Public folder of my Dropbox account, right clicked it, and via the Dropbox context menu, got a public link for it. I’ll let Dropbox host my simple page so that C2P will work. I created a bookmark in my Chrome toolbar named “C2PHack”.

Now whenever I need to send arbitrary info to my phone, I can click my bookmark, paste my text into the textbox, highlight it, and send it to the phone.

Easy, right?