umbber latean grantland

0 views

Skip to first unread message

Yoshi Heffernan

unread,

Aug 2, 2024, 10:12:24 AM8/2/24

to liquaconnui

I don't have a Netflix account and never have done. I have a Gmail address which I have never used for public communication. Suddenly I started getting email to this Gmail address from Netflix - not a "Welcome to Netflix" email or one requesting address verification, but what looked like a monthly promo for an existing account. This was addressed to someone with a different real name, with that name not similar in any way to the Gmail name.

After a few of these messages I decided to investigate by going to Netflix and trying to log in with that email address. Using the "forgotten password" option I was able to get a password reset email, change the password and log in. The account appeared to be from Brazil, with some watch history but no other personal details stored and no payment information.

Soon the emails from Netflix started to ask me to update payment information. I didn't, of course, and then they changed to "your account will be suspended" and then "your account has been suspended". The "come back to Netflix" emails are still coming in occasionally.

I don't see how this could possibly be a phishing attempt - I carefully checked that I was on the real Netflix site, used a throwaway password not used on any other sites, and did not enter any of my personal information. I also checked the headers of the emails carefully and they were sent by Netflix. So is this just a mistake on somebody's part, mistyping an email address (although it's surprising that Netflix accepted it with no verification), or something more sinister?

(Note that the above steps don't include any "password reset" step for Jim to access the account; that's because the email from Netflix includes authenticated links that won't ask for it. The attacker wants the victim to click on the email links instead of visiting Netflix manually, this is what enables "Eve" to log back in to the account in step 7. Or, since Netflix emails authenticated links, possibly "Eve" already has one.)

The above situation is partially caused by Netflix (understandably) not recognizing Gmail's "dots don't matter" feature where email sent to [email protected] and to [email protected] end up in the same account. That doesn't really matter in your case (given that if this is how you're trying to be scammed, step 1 was skipped entirely), however.

The most probable situation is that someone used an arbitrary Gmail address (yours) in order to sign up for a free trial, or mistakenly tried to change their email to the wrong address (maybe to have a friend/family also get emails).

This would not be a "hack" or even a phishing attempt, just using any available address. This does mean that your Gmail address could not be used for a free trial at Netflix, so there is that negative impact to you.

As a side note, by logging into someone else's account, you have violated many country's "unauthorised access" laws. I would not make a habit of doing this (or telling others on public sites that you have".

I get dozens to hundreds of e-mails from legitimate companies (car dealers, LA dept of water and power, Macys.com, cell phone activation notes, the payroll company ADP, and Nationwide insurance) from people with my first name and an initial matching my last name.

The worst was in early 2019, when I received medical records (Lab results in a .PDF file) - a clear HIPAA violation, since e-mail isn't an authenticated or encrypted communications channel. The "medical records" person, who should know the law, was the sender of the e-mail.

In my case, none of them are nefarious, but represent clueless users or even worse, clueless sales clerks (such as Lenscrafters in Maryland), the Apple store in Manhattan, and others too numerous to mention.

I got emails from Netflix too saying that my account was cancelled and that there was a sign in attempt somewhere from the US... except that I live in Canada, and have never made a Netflix account in the first place. I went directly to the Netflix website and was able to speak to a representative, and they deleted the account. There was no payment information either. I don't understand why this happened, either someone has a similar email address yet without the dots, or perhaps there is some sinister reason, but I wouldn't know. I've wondered if someone might do this hoping that the other person would fill in their payment information, thus enabling the account.

You can hardly throw a stone at a major Internet company these days without that stone's password and personally identifying data being hacked. Data breaches have become the norm, and for average Internet users, that means an increased need for vigilance.

On Wednesday, an unexpected e-mail alert from Netflix made me wonder if the media-streaming giant had become the latest victim of a giant data break-in. That wasn't the case. Instead, I found myself facing rather the opposite scenario: a tech company offering proactive support. But did Netflix's vigilant take on my account's security tip over into scare-tactic territory?

I began to prep a dinner on Wednesday evening when I saw an e-mail alert on my phone saying, "Netflix password reset required." It's the kind of notice that might make anybody toss their bottles of cumin and dill aside and rush to a computer.

We have detected a suspicious sign-in to your Netflix account. Your Netflix account may have been compromised by a website or a service not associated with Netflix. Just to be safe and prevent any further unauthorized access of your account, we've reset your password.

"I don't see any streaming in your account in the past seven days," the rep, Alberto, wrote. "What we can do to make you feel more safe is to send you a password reset e-mail, and I can also deactivate all the devices that are now logged in your account."

"Well, honestly, I would feel safer if Netflix didn't send out false alerts like this," I wrote in response. I pressed for more information as to what triggered a "suspicious sign-in" notice. After putting me on hold for some time, Alberto returned with this (unedited) explanation:

Thanks to you for holding.. I was checking on my end and confirmed that the system sometimes send an email from in...@mailer.netflix.com that alerts customers about possible unauthorized access and recommends that they change the password for their account. This doesn't mean that the account was compromised, it is more like a heads up and a recommendation to change the password to prevent that from happening.. Netflix takes our customers' security very seriously, keeping your data safe is among our top priorities. While we can't always say how an account was compromised, some common ways are phishing emails or unsecure websites. If you Click Here you will find more info about how to keep the account secure..

At first blush, I felt like this explanation didn't quite mesh with what the alert had told me. Was there indeed a suspicious sign-in? If it's possible that the account wasn't compromised, then what's going on here?

"Of course, I get your point," Alberto wrote. "However, I can see that the email states only that a suspicions sign-in was detected and that the account may have been compromised, but I don't think it's confirming it. But I see what you mean and I totally get you." He said he would "pass the word along" to Netflix higher-ups.

Netflix was founded in 1997 by Reed Hastings and Marc Randolph as a DVD-by-mail service. The idea came after Hastings was charged a late fee for a movie rental. Customers could subscribe to receive DVDs by mail. The company later expanded to streaming and now has millions of subscribers.

The company at the time struggled with two fundamental problems in their business model. One was that because the DVD was sent via mail, it would take anything between one day to 4 days for the shipment to reach the subscriber. Even though people were likely to try Netflix, conversion to repeat rentals was low. Secondly, people would far more inclined to rent out the latest releases. For the company to break even on the cost of purchasing a DVD to rent-out, they would have to generate 15-20 rentals for each DVD.

Secondly, to enable maximum utilisation of their DVD content catalogue, the company created their movie recommendation system. Through Cinematch, Netflix would recommend shows for their subscribers to watch. The point for this was to alleviate pressure for DVD rentals away from new releases, to a more uniform renting out of their content library. This solution has over the years become considerably sophisticated, and drives how customers experience Netflix and how the company makes decisions when acquiring new content.

Netflix put further pressure on competition when they announced the launch of their streaming service in January 2007, as Watch Now. At the time the streaming service was expected to be of use only for power users with broadband internet connections, which were not all that common at the time. Users were required to have a 1 mbps internet connection to be able to stream movies, with a 3mbps connection required for streaming DVD-quality films. Subscribers under the $17.99 plan had access to 18 hours of streaming content. Video delivery was through a special browser applet that subscribers would have to install. By 2008 however Netflix had given access to unlimited video streaming for subscribers to its biggest plan .

Prioritising building a robust technical infrastructure has helped Netflix keep their first-mover advantage. Oftentimes the first-mover advantage is squandered by technology companies who have to make way for businesses that solve the problem more efficiently. Netflix, however, by relying on a solid content and technical team, has managed to keep its competitive advantage since the launch of its streaming video service.

As the company started working towards building a streaming video solution, they also started to develop solutions for streaming video through hardware platforms. In 2004/05 the company was considering working with contract manufacturers on DVD disc drives with a video processor, which could download video content over the internet, and then stream it on TV. This model was similar to TiVo, which enabled TV owners to record TV shows on a disc. This was however shelved as competition with Blockbuster intensified and Netflix had to put resources into engaging in a pricing war with the market leader.