A 21-year-old man living in Sydney, Australia was reportedly arrested on Tuesday for having over one million stolen Netflix, Spotify, and Hulu passwords on his website WickedGen.com. Australian police estimate that he made approximately $211,000 over the course of the two-year scam.
The FBI initially informed the Australian Federal Police (AFP) of Wicked Gen in 2018, given the 120,000 paid members the site reportedly had. The two entities then collaborated in a joint international cybercrime investigation to pinpoint the man responsible. Although the perpetrator was based out of Australia, the users who subscribed to the site were based across the globe, including the U.S. After obtaining a search warrant and arriving at the premises, the AFP seized, "electronic materials and various amounts of cryptocurrencies."
Man arrested for selling one million Netflix, Spotify, Hulu passwords: The WickedGen website bragged that it had over 120,000 users and almost one million sets of account details, offering monthly and yearly membership plans for those who wanted “access… https://t.co/NiC6NJkkKX pic.twitter.com/q8pVwcgDrg— Shah Sheikh (@shah_sheikh) March 13, 2019
Acccording to the AFP, the man accessed the account information by "credential stuffing," which involves the attacker compiling a list of previously compromised usernames and passwords, usually due to a breach, and then selling them for profit. As most people reuse the same password again and again, once account information has been obtained, it will likely provide details to access other accounts.
“Individuals in Australia have had their personal data stolen for the sake of individual greed,” AFP manager of cyber crime, Chris Goldsmid said. "These types of offences can often be a precursor to more insidious forms of data theft and manipulation, which can have greater consequences for the victims involved."
The AFP confirmed that they are working with Netflix, Spotify, Hulu and all other companies implicated to address the issue. "We are working closely with the affected companies and thank them for their cooperation with investigations to date."
Let this be a lesson that your childhood pet probably shouldn't still be your password in 2019.