Sophos Cloud Optix
Netflix is telling some password-reusing customers to reset those well-trodden logins after it spotted some of them in a batch of purloined credentials.
The news was first reported by AdWeek, where writer Steve Safran said on Friday that he’d received this email:
As part of our regular security monitoring, we discovered that credentials that match your Netflix email address and password were included in a release of email addresses and passwords from a breach at another company.
The email didn’t give details about how many accounts were affected.
Netflix is resetting affected users’ passwords for them and then prompting them to change it to a new one.
The email said that Netflix wasn’t aware of anybody having compromised Safran’s account.
Netflix confirmed to the Register that yes indeed, it’s sending out the emails as a precautionary measure due to the recent disclosure of credentials from other sites.
This is part of our ongoing, proactive efforts to alert members to potential security risks not associated with Netflix. There can be a variety of triggers such as username and password breaches at other companies, phishing schemes, and malware attacks.
Like many online services, Netflix’s routine security monitoring includes sniffing around online to see if it will find its user IDs circulating in breach lists.
That’s how Amazon found a cache of reused passwords and likewise told some customers recently to swap the passwords out.
Facebook is also known to prowl the internet looking for your username/password combos to show up in troves of leaked credentials.
So where did the breached passwords originally come from? Netflix isn’t saying, and honestly, it could be from any of a growing list of mega-dumps.
The credentials could have come out of the LinkedIn breach of millions of passwords, for example.
Or it could have been the MySpace mega-breach, the 65 million passwords in the Tumblr breach, or from the gargantuan Yahoo breach of half a billion accounts.
With each breach comes an increased chance that a reused set of login details will be discovered and potentially used by crooks to gain access to any account set up with those same details.
If you’ve got some scruffy reused passwords kicking around, we agree with Netflix: put those mangy things out to pasture and get yourself some new ones to ride around on.
Make sure every one of your passwords is unique, too. After all, cloned passwords are sickly things. If one service gets breached, crooks can try them on all your other accounts.
So if you don’t want crooks watching porn, or Disney films, for that matter, with you footing the Netflix bill, make sure you’ve got a unique, strong password on that account.
Here’s a detailed explanation of the dangers of password reuse, and here’s how to make every one of those passwords robust.
“So many passwords!” you may say. “I must now lie down and take a nap!” you may wail.
Please, no! Nap not!
With all the “security breach!!!” and “reset your password NOW!!!” news coming at us constantly, we know it’s tempting to more or less just give up.
Instead of giving up on security, though, consider using a password manager.
We think they’re a great tool. All you have to remember is one good, strong master password for the manager.
If you use one, please tell us how you like it in the comments section below.
(No video? Watch on YouTube. No audio? Click on the [CC] icon for subtitles.)
I use KeePass and have been very happy with it. It supports multiple OS; I use it on Linux, Android, and Windows. It’s not cloud based; I don’t want it floating around, I can sync it myself, thank you.
Its password generator is very flexible allowing accommodation of the myriad requirements of sites and myself.
Sync is with what? How do you remember sync service’s password? Then that one probably uses 2FA. In the end you still have to remember several passwords and own a phone just to retrieve the rest of your online identity. Mind you those password will be used very rarely. There’s very high chance to simply forget them.
With Keepass you can keep a copy of the database file locally on your machine and in a Google Drive so it syncs automatically. The only issue is that the more copies of the database file you have, the more you have to remember to update them all.
Ok, so how does Netflix have both your username and PASSWORD unless it’s not storing the latter according to best practice? I.e. Salted, then multiple 1000’s of rounds of slow one-way Hashing. At best it should only have access to the password at time of your changing it …
The article explains what happened: Netfix didn’t *have* these passwords, it *acquired* a list of passwords from another breach in which the account names seemed to match up with users of its own. So it tried hashing the revealed-somewhere-else passwords against its own users and found that some of them matched, because those users had used the same password on multiple sites to make things easier to remember…
As mentioned in the article, other online services (e.g.Facebook) do this as well: see if any published logins (which could have come from breaches, keylogging malware, phishing attacks and more) seem to fit its own users too.
In other words, the reason Netfix has the passwords is that they’re already out there. It’s not comparing those passwords against plaintext passwords it’s stored itself, but pretending that the relevant user just typed in the known password, hashing it and seeing if it would work. Netflix can react to a match by locking out the account, whereas a crook who tried the same would immediately be able to abuse the account.
Another retailer sent me a notice when they found -A- password and my user creds online (it wasn’t actually my password for their service) – they didn’t try and hash that password and see if it matched their hash. When I asked why not, they seemed reluctant to do that. Is there a legal gray area as to whether its okay to take what you suspect is your customers’ passwords and try them on your system to see if they work?! I wouldn’t be upset if the retailer did that, but they seemed to think it was too close to the CFAA.
I’ve been using the paid version of LastPass for a few years and it has completely relieved the stress of generating and storing passwords. I just create a new 30+ character passphrase every year or so and I’m good to go on all my devices.
I’ve realised that the anti-spam technique of having a different email address for every online service also protects against this, because these breaches rely on the user using the same email address as well as the same password.
In an interesting twist, our TV keeps losing the Netflix username and password. The problem is that one must type them in by hand — using the onscreen “keyboard” and the arrow keys on the remote. I would LOVE to have a solution for that.
So, when I redo my NF PW tonight, I’m going to pick one that’s long, but easy to type.
Problem is that most keyboard patterns are well-known to the bad guys. So, my question is: what length does a keyboard pattern need to be to be significantly outside the limits to which crackers check?
This is a really good point. Good generated passwords are horrible for Netflix, Hulu and anything else where you have to type them into a streaming device like a TiVo or Roku.
Some services have the capability of generating one-time codes on the TV screen via the streaming device and having you validate it on the web, where LastPass can do the heavy password lifting for you.
Otherwise, I recommend passwords of the “CorrectHorseBatteryStaple” genre.
I was actually thinking like 1qazxsw23edcvfr45tgb etc. I just wanted to know how many characters are needed to be “safe”. In other words, beyond the radar of most cracking algorithms. I know qwerty and asdfgh aren’t safe because they’re in the “dictionaries” the crackers use. So, my question is, how far do I have to extend the list of close-together letters?
Take a look at my article “Do we really need strong passwords?”, it’s based on some of the excellent research that comes out of Microsoft Research looking at passwords in the real world.
https://nakedsecurity.sophos.com/2014/10/24/do-we-really-need-strong-passwords/
Thanks! I’ve read that before, but it’s worth a refresher (to me, anyhow).
My question is about a subset of what that’s targeting, specifically keyboard patterns. For example, is a clockwise spiral starting with the number 2 good enough? 2345tgbvcxswerfd is 16 characters, but much easier to type.
Couple that question with the 1 million vs 100 trillion from the article, and I think it’s good enough. Of course, now that I’ve posted it publically, I can’t use it … 🙂
I’m not changing my NETFLIX password. I don’t have to. I take the recycled password to another level. Not only do I never reuse a password I never reuse usernames. If a site forces you to use a email address as a username?
Well I have ten domain names that came with 100 forwarding email addresses each, giving me a thousand email aliases to use. A different email alias for every login.
So my Netflix email/username is unique as well as the password. Some time I use my password manager to create random character usernames as well random character username part of the email addresses.
So instead of ending up with a compromised email address every time a company looses it I merely delete their alias. Spam filtering becomes incredibly easy. See which alias is receiving all the junk, then delete it. No rules, No complaining, No Unsubscribing, you just delete the culprit alias and let them figure out the bounced messages.
If you don’t change the password on a compromised account, then crooks will be able to access the account…which comes back to you, one way or another. And if you delete the email alias that goes with it, you’ll never get to see any warnings about the stuff the crooks are getting up to, or to reset the account, or close it. I think I’d change the password, close the account and then retire the email alias…
…or did I miss something in what you’re doing?
On one hand while it may be good that these companies are on the look out for reuses of their user s credentials it also begs the question that these companies obviously also know your password which begs the question about what if there are rogue insiders at the likes of Netflix, Google or Facebook etc. I thought these companies weren’t supposed to know user passwords or are they just matching hashes?
They’re just matching hashes.
Simply put, they are doing a dictionary attack against your password using a dictionary of one entry – the publicly-known password that came from some other account. (I’ll guess that they try various obvious tweaks of the password while they’re about it, for example adding 1, 2, 3… 99 on the end and swapping Es for 3s and As for 4s, as crooks probably would.)
In other words, they only “know” your password if the guess turns out to be correct, in which case everyone else “knows” it too.