Netflix, HBO GO, Hulu passwords found for sale on the Dark Web

Winter is indeed coming, Ned Stark, but it’s looking more like pirates than white walkers: a new report found that thieves may have put your HBO GO account on the auction block on the Dark Web.

The report from Irdeto found that thieves are selling hundreds of stolen logins for popular “over-the-top” (OTT) services such as pay TV and video on demand on Dark Web marketplaces.

Besides HBO GO credentials, the company spotted listings for logins to 42 services, including Netflix, DirecTV and Hulu. All told, during the month of April, Irdeto spotted 854 sets of credentials, listed by 69 separate vendors on 15 marketplaces.

On average, an account’s credentials are fetching $8.71 (about £6.60) for one-time use. Some Dark Web sellers are also selling bundles of credentials for several services at higher prices.

Granted, Irdeto has an interest in bringing attention to piracy and other illicit activities, given that it sells content security and monitoring solutions and services to media and entertainment customers. But there’s no denying that cyber thieves will grab, and sell, these credentials.

Netflix, for one, keeps an eye out for its customers’ credentials turning up in batches of data ripped off in various breaches. Like many online services – including Facebook and Amazon, for example – Netflix’s routine security monitoring includes sniffing around online to see if it can find its user IDs circulating in breach lists.

(It’s worth noting that online services that do this look for account names that seem to match up with those of their own users. If they find any, they try to hash the revealed-somewhere-else passwords against hashed passwords of their own users. If they find that some of the passwords, once hashed, match their own customers’ hashed passwords, it translates into users having used the same password on multiple sites.)

That’s how Netflix wound up closing the accounts, or resetting passwords, of some customers in 2016: after finding their account credentials floating around online, the company zipped up the accounts to keep them from being hijacked.

That’s a good move. Who wants pay for crooks to watch Breaking Bad? Or Disney films, for that matter?

How to keep your accounts safe

Irdeto recommends that we all keep our eyes out for unusual or unfamiliar activity on our accounts. It also suggests changing passwords regularly, but that won’t do you much good if you’re using weak passwords, or, worse still, re-using passwords.

Be they strong as steel or weak as wet tissue, reusing passwords means that if one service gets breached, crooks can try the same credentials on all your other accounts. Here’s a detailed explanation of the dangers of password reuse, and here’s how to make every one of those passwords robust.

You well might have passwords coming out your ears, and we know it’s tempting to more or less just give up when it comes to creating unique, tough-to-crack passwords for all your accounts. Instead of giving up on security, though, consider using a password manager.

We think they’re a great tool. All you have to remember is one good, strong master password for the manager.

Some, if not all, password managers will run through your passwords and flag any that have been reused, prompting you to come up with stronger, unique passwords that they’ll then store so you don’t have to scribble them down or remember them.

Whatever you choose to do, make sure you’ve got a unique, hefty password before Game of Thrones Season 8 debuts next year, and the pirates storm your cyber fortress.

Here’s how!

(No video? Watch on YouTube. No audio? Click on the [CC] icon for subtitles.)