NetFlix Account Permanently Compromised

Yes, you read that correctly. My NetFlix account was compromised, and NetFlix cannot fix it. They've mitigated the security breach, but by their own admission they cannot close the hole. This will only affect you if you had set up multiple DVD plan profiles before NetFlix began offering instant streaming.

Here's the tl;dr version: If you created secondary profiles before NetFlix supported multiple streaming profiles (back when they only had DVDs or shortly after they'd started the streaming service), then you created a second login for the new profile. That means to manage the list of DVDs on the second profile, you would log in using a different email address and password from your primary profile. When they introduced streaming profiles, they converted the secondary login to be an alias for your primary login. Now there is no longer any way to modify the existing login, which means if that email address + password combination is compromised, your account will be permanently open.

Here's the whole gory story...

A little over a week ago I became aware of the breach. It was Thursday night, and my wife and I were winding down for bed. We've always enjoyed the show Futurama, and it's become a repeated behavior to put on an episode in the background when we're having trouble getting to sleep. We've seen all the episodes, and can quote all of the jokes, but they're still funny. They're easy to ignore if we need to, and if we fall asleep with it playing, we're not missing anything. The next morning I was scheduled to have my wisdom teeth extracted, and I definitely needed the distraction to help me fall asleep.

Imagine my surprise when I picked an episode and clicked play, and NetFlix told me

Your Netflix account is in use on another device. Please stop playing on other devices to continue. Visit Netflix.com/help for more information

What? We have the four-devices-at-a-time plan, there are only three people on this account, and none of us have ever watched two things at the same time! This should be impossible. This could just be a glitch, right? My wife tried playing the episode from her phone, and got the same response. Clearly NetFlix thought there were already four things being watched at that moment. When you feel like something is wrong, you're always right. After all, either there really is something wrong, or your feeling about the situation is what is wrong.

We logged in from a desktop and started investigating. Lo and behold, NetFlix showed a lot of recent viewing over the last two days that definitely wasn't ours. There were a lot of things that my wife and I were supposedly watching which I knew we weren't. My mother in law was supposedly watching something called Sons of Anarchy. What?! Oh {Expletive Deleted}!!! The account must have been compromised.

The first thing I did, of course, was change the password, and clicked the button to "Sign out of all devices". I didn't see how the password could have been compromised, since it was randomly generated and only used for NetFlix, but these things can happen, right? A few hours later, however, and the rate of things being watched hadn't subsided. Clearly the attackers still had access. Did that mean my email was compromised, too? Except the new password was never sent via email, only the password change link, and the password hadn't been changed out from underneath me (the new password was still working). So the attackers definitely don't have access to my email. That would have been highly unlikely anyway, as I use a different random password for my email, and have two-factor authentication turned on. How were the attackers still getting in?

Then my wife jogged my memory. She could log into the same account using her email address. That gave me a gut-wrenching feeling. Her account could be compromised. I never wanted that to happen to her, but that seemed to be the case. Better to confirm it first, right? We tried logging in with her email address and password, and sure enough... full access to all profiles. No wonder the account was still being used.

Okay, we need to change her password. Unfortunately it's a password she has used elsewhere, which means her email address combined with that password has to be considered compromised everywhere it has ever been used. Thankfully her email account uses a different password from the one that was compromised, so we at least knew they didn't have immediate access to her email. This is why you should never use the same password twice! (but that's a topic for another day) Here's where it gets really interesting...

We submitted a password change request for her email address. She didn't get the link in her email. We waited a bit (mine had shown up right away, but maybe the system was being slow), and she still never got the password change link. With a sinking feeling, I checked my email. Sure enough... there was a password change link. Okay, they sent it to the primary account holder. Not the end of the world, but being a software engineer, that gave me good amount of worry. That's definitely not how the system should work.

When I clicked the password change link, it took me to the form for entering a new password, and on the screen it showed my email address instead of hers. Did that mean I was about to change my own password instead of hers? Well, worth a try. I put in a new password and clicked submit. Then I made sure I was fully logged out, and tried logging in again. By the way, Incognito/Private-Browsing is perfect for this kind of thing (so you don't have to clear your cookies and browser data). Sure enough, the new password was applied to my email address, and I could still log in using the compromised credentials. More expletives.

Now as a software engineer, this gave me enough insight to have a pretty good idea what was going on. Can you see it? Their system must be set up with a login table which associates email address to password and links to the account, and an account table which links back to only the primary email address. It might not be this exact setup, but it's a close enough approximation. When you submit a password change (or email change) request, it goes to the account (instead of the login), which links back to the primary login. What I needed was to change or delete the secondary login, not the account. If they were using a SQL-like database, then a command like the following would fix my problem: UPDATE login_table SET password_field = something random WHERE email_field = compromised_address; Pretty simple from my point of view!

Wait, what's this? My account now had an new profile that I didn't expect! Not only were people watching things using my account, they were changing the profiles! They're messing with my data!

First thing's first, quickly make a backup of any data that I might care about (and filter out the data which clearly was added/changed by the attackers). For me that meant the watch lists and the list of video ratings for each profile. We had our account since 2007... there was a lot to back up. Some screens could be printed to PDF, and some needed to be captured as screenshots because they wouldn't print properly. This would come in handy later. Again, a topic for another day, but backup early and often when possible, and then again at the first sign of trouble!

Time to call upon the experts! First I went to the NetFlix help pages. Of course they said the obvious. If you think your account is compromised, check your viewing activity and recent account access, then change the password and click the "Log out all devices" button.  So I started a live chat and explained the situation. The person with whom I spoke was courteous and helpful, and started off by initiating a password change for the compromised email address... which was sent (and applied) to my primary email address, not the bad one. I explained what was going on, and after some investigation, they realized it had something to do with the DVD profiles. Unfortunately the online helpers are for the streaming service only, and couldn't try anything with the DVD side of things, but they were able to give me a direct support number and their hours of operation.

The next morning I was able to call the DVD support line when it opened at 8AM. Unfortunately my wisdom tooth extraction was scheduled to start at 8:20AM, so it was going to be a short call. Once again I had to spend a good amount of time explaining the problem. The person with whom I spoke was very courteous and wanted to be helpful, but I had a hard time explaining the problem such that they really understood it. When they did understand, they said they didn't have any tools to make that kind of change.

Here's what they could do: They could try disabling the account, which scrambles the email address. They could also submit an unauthorized transaction report if I wanted. I didn't realize the consequence this would have, and the account was still being actively used, so I said that would be alright with me. I should have asked more questions, and they should have volunteered what the result of such a ticket would be. They also said they would submit the problem to their research division. Then I had to get off the phone... I was out of it for the rest of the day.

When I was coherent enough to check on things again, I found email notifications that my account had been disabled. I tried logging in using the compromised credentials, and sure enough... it still let me in. Once logged in, I could see that they'd changed the primary email address to be some gibberish pointing at their own email servers. Well, that would certainly stop someone from using my email address to get in, but it wasn't my email address that was the problem. I didn't do much more that weekend, because of my surgery, and in the end I found a series on Amazon Prime that I wanted to watch. I decided to give NetFlix through Tuesday of the next week to get things straightened out, and would use Amazon Prime instead of NetFlix in the interim. Not ideal, nor as nice of a player, but I definitely wasn't going to be talking with tech support on the phone!

Sometime near the end of the weekend (or maybe it was Monday), I checked on NetFlix and found that it said, "Welcome back! Click here to restart your membership," and sure enough, I couldn't play videos anymore. Hooray! The attackers wouldn't be able to watch anything on my dime anymore. At least there was that. Of course, I couldn't watch anything anymore either, so it still wasn't fixed, but it should at least be enough to start discouraging the attackers. Then I tried the compromised credentials again, and yes... it still let me in.

A week after we first discovered the security breach I was feeling well enough again to speak with customer support. Yes, the account was still compromised, but disabled. I got on the phone with NetFlix support again. By this point, the notes on my account were long enough that the representative needed a noticeable moment to read before diving in to help.

The first thing they did was confirm that my credit card had been blacklisted. Wait... Blacklisted? You mean disabled, right? Yes, it has been disabled... permanently. No, there's absolutely no way to reverse it. The blacklist guarantees that the card will never be used with NetFlix ever again. That's definitely not what I wanted! Well, once a card is blacklisted, no one is allowed to remove it from the blacklist for any reason. That's the whole purpose of the list. More expletives. This is the card I have always used with NetFlix, and wanted to continue using with NetFlix. Now I have to choose another card, too? This is apparently what they meant when they asked if I wanted to put in a ticket to report my card as an unauthorized transaction. Yeah, it stopped the attackers from watching anything more on my account, but now I'll never be able to watch anything on NetFlix via this credit card again. A very unpleasant unintended consequence.

This round I had time. I described the problem fully, carefully, and explained all the possible ways I could think to fix the problem. Disconnect the compromised login from the account record. Delete the login. Scramble its password or its email address. Of course the tier one customer support didn't have the kind of access to do any of those things. Apparently there were notes from a research division or something similar which weren't helpful either.

Next I tried every way I could think to reach someone more knowledgable. I asked for managers, tier two, direct contact with the research division, their security department, their engineering/programming group... anyone, anyone at all. They couldn't get me in touch with anyone. They didn't have direct contact information for most, and weren't allowed for the rest. The representative was kind enough to stay on the phone with me while talking with tier two support on my behalf, but couldn't connect me with them directly. I even gave them the compromised email address and password so they could prove to themselves that it was still allowing people into the account. Still no motion on fixing the root problem. I'm absolutely flabbergasted that they have no escalation process by which someone with technical skills can be reached. That's some very serious firewalling for their engineering division. Having some insulation is absolutely necessary, but these are circumstances in which I would think I should at least have been able to reach a security department! If the company for which I work did this, the customers would definitely go elsewhere. Then again, we serve enterprise customers, not just consumers.

Finally, there was one option left. The go-nuclear option. Close the account entirely, lose all the data and history, and create a new one. They would scramble the primary email address, which meant I would be able to reuse my primary email to create the new account, but there was no way to copy/transfer any of my existing data. With no other options, and no apparent way to reach anyone with the power to run some simple database queries/commands, I relented and allowed them to close the account. Boy am I glad that I got copies of our ratings and watch lists earlier!

I'm not very happy about this as a solution for numerous reasons. Of course there's the data loss, but there's also the loss of history and quite probably more unintended consequences. I work on software for marketers, and it is entirely possible NetFlix will run a campaign that is only for long-time customers. Resetting the clock like this means that I won't be eligible for such messages, and there's no way I'll know what I'm missing. That's outside my ability to affect, and likely wouldn't be anything large/significant, but I know I would be upset if I missed out on a beta program or special offer for a new service.

Here's the good news: For all the trouble, they gave me a free month of service. That was kind of them, and I appreciate the gesture. I would only have asked for a discount for the lost access time. To NetFlix: Thank you for that.

The next day I got a notification from my bank of a charge for $7.99 from NetFlix! I got online with a representative, and a friendly representative saw notes on my new account, and said that the system was too efficient and had charged me for the new account before the free month had been successfully applied, but something they said sounded wrong. $8.99? No, that's not what my bank said. Then it sunk in. The notification had come from my original card. I immediately logged into the new card's bank account, and sure enough the new NetFlix account had charged it $8.99. The representative online was able to reverse it, and I got a confirmation email that NetFlix was reversing it, but unfortunately the online representatives can only see the account for which you initiate the chat. I would have to call in about the $7.99.

When I called in, they were able to see that the online representative reversed the charge on the new account, then went looking into the old account. They told me, "That's just an authorization. The system does that automatically to make sure there are funds in the account, but because the account is blacklisted no money will be withdrawn." I've worked with credit card authorization systems before in developing e-commerce solutions, and the term authorization is the first half of the process. Technically it's a hold on funds. Someone must have clicked the, "Click here to restart your membership," button. They assured me that because the card is on the blacklist, no funds will actually be withdrawn. I'm a little skeptical because the authorization was allowed, and will check back on my account in the near future. Also, does this mean every time an attacker clicks that button I'll see another authorization?

I've also started receiving the "Welcome to NetFlix" series of emails. I don't need or want these, but the account setting which would turn them off is one that I had turned on previously (and previously wanted), so now I just have to wait them out before I start getting the updates which I do want.

Today I can still log in with the compromised credentials to look at the closed account, but the primary email address has been changed to the domain gmail.csd.netflix.com. Customer Support Division perhaps? Not that it really matters.

In summary:

• My wife's old password was compromised.
• Someone figured out they could use it to get into my NetFlix account.
• The attackers can no longer watch videos on my old account.
• The security hole is still open.
• There is no way to reach tier two or anyone else who could help.
• My old account, which was open since 2007 is now closed.
• My new account says it was started in 2015, so my account age has been reset.
• My watch list will have to be re-added by hand.
• My video ratings will have to be re-added by hand.
• My viewing history is lost.
• My viewing preferences and taste profile are lost.
• My preferred credit card is permanently blacklisted.
• They did give me a free month of service for all the trouble.
• I'm getting an unwanted welcome email series, but cannot turn that option off because I do want the messages which will follow later on that channel.