Netflix lets your streaming account be used by up to four people at a time — but some of those people may be complete strangers halfway around the world.
Stolen Netflix account credentials are sold for as little as 25 cents apiece wholesale in online black markets, according to U.S. information- security company Symantec. The company says credentials are generally stolen either by phishing emails, or by malware posing as Netflix apps that may also steal credentials for online bank accounts.
You can check your Netflix account for suspicious activity, but you can't see a list of all devices that recently used your account. If you're worried that a stranger is tapping into your Netflix account, you should sign out of all Netflix devices at once, and/or change your password.
Last month, Netflix suddenly expanded its streaming service to nearly every country in the world, including some nominally hostile to the United States, such as Cuba, Venezuela and Iran. The only major exceptions were Syria, North Korea and China.
This marketing coup also means that there are now a lot of potential Netflix customers in poorer countries who can't afford to spend $8 a month for access on their Android phones — but can certainly pay a buck or two to the guys running the cellphone shop down the street. That cut-rate access comes through stolen credentials.
Your account, up for sale
"There is an underground economy targeting users who wish to access Netflix for free or a reduced price," Symantec's Lionel Payet wrote in a company blog posting Feb. 11. "The most common offers are for existing Netflix accounts. These accounts either provide a month of viewing, or give full access to the premium service.
"In most advertisements for these services, the seller asks the buyer not to change any information on the accounts, such as the password, as it may render them unusable," Payet added. "This is because a password change would alert the user who had their account stolen of the compromise."
There are so many stolen Netflix credentials out there that Payet's screenshots of online black markets include an ad for a tool called "NetflixGenerator" that spits out freshly compromised credentials in bulk, for people who want to resell those credentials to end users. It can be accessed for set periods of time -- $10 for a week, $20 for a month or $30 forever.
"NetflixGenerator is a unique tool that generates freshly cracked accounts," the ad reads. "You can generate almost unlimited accounts per day. We update our account list daily to ensure you get only the freshest accounts."
The golden ticket to unlimited streaming
With such a thriving trade in stolen Netflix credentials, online criminals need to steal more and more of them.
Payet notes that one method of doing so involves the good old phishing scam — an email message or browser pop-up window that says you need to log back into your Netflix account for some reason, then takes you to a fake Netflix login page. Your email address and password are sent to criminals, and just to add injury to insult, the fake page may ask for your credit-card number as well.
But Netflix is so popular, Symantec says, that Trojan-horse malware posing as Netflix applications has cropped up as well.
"One malware campaign involves malicious files posing as Netflix software on compromised computers' desktops," Payet wrote. "The files are downloaders that, once executed, open the Netflix home page as a decoy and secretly download Infostealer.Banload. Banload steals banking information from the affected computer."
Payet added that "the files are most likely downloaded by users who may have been tricked by fake advertisements or offers of free or cheaper access to Netflix."
How to check for suspicious Netflix activity, and what to do about it
It couldn't hurt to log into your Netflix account on a desktop computer and go to the My Activity page.
See anything there that you're sure that you, or anyone that you know shares your account, didn't watch? If so, then you'll want to change your password at http://www.netflix.com/password. (Make sure the new password is strong and unique.) The password change will force all users to sign in again with the new password.
If you'd rather not change the password, but want to give freeloaders a scare (and tell the credentials sellers that you're on to them), you can just sign out all devices using your credentials at http://www.netflix.com/ManageDevices. The sign-out process may take up to 8 hours to populate to all devices, Netflix says.