Man Arrested For Selling One Million Netflix, Spotify, Hulu Passwords

Police in Australia have arrested a man who allegedly made AU $300,000 (US $211,000) running a website which sold the account passwords of popular online subscription services including Netflix, Spotify, Hulu, PSN, and Origin. From a report: The 21-year-old man was arrested on Tuesday in Sydney, Australia, following an international investigation by the FBI and the Australian Federal Police into the website Wicked Gen. The Wicked Gen website bragged that it had over 120,000 users and almost one million sets of account details, offering monthly and yearly membership plans for those who wanted "access to thousands of premium accounts across a huge range of services." The account passwords, however, were not obtained via legitimate means. Instead the details were typically obtained through credential stuffing using swathes of usernames and passwords leaked through other data breaches, without the knowledge of their genuine owners.

Dam..

[blackt0wer]

Now I can no longer stream.

Re: Dam..

Did North Korea hack you? You can say. We won't make fun.

Re:Now I can Finally

[wolfheart111]

Stream... that was you eh...

"Credential Stuffing"

[godel_56]

So basically people reusing the same login and password across different web sites.

tl;dr Use a password manager.

Re:"Credential Stuffing"

[vinn01]

"Credential Stuffing" has got to be one of the worst descriptive tech terms. Just say "Password Reuse".

It's not much of a hack to find a password and see what other websites the same password works on. Given that every fricken website uses email address for a username, once you have a email/password pair, you know the same pair is probably going to work elsewhere.

Re:"Credential Stuffing"

I had never heard the phrase before reading this summary and I instantly knew what it meant. Seems like a good enough term to me.

Re:"Credential Stuffing"

Password reuse is vague, not that credential stuffing is better but if you're going to replace it be specific. 1 user using the same pw everywhere is reuse. User-account sharing or login sharing is a better phrase.

Re:"Credential Stuffing"

>Seems like a good enough term to me.

It's nice that you're the only deity in your bubble worldview. We want a term good enough for lay plebs, now and tomorrow's, so the C-level you're explaining a risk to can grok it without expiring his three second attention span while you clarify "credential stuffing".

How Were The Real Victims

[rtb61]

Kind of interesting story when you try to figure out who the real victims were, far more complex than it might seem at first. So the people who bought those usernames and passwords, well they were naughty people and knew full well what they were doing and yet in reality, once the actual holder of the username password finds out, they alter the account and the person who bought it has nothing, they can not lock the real user out because they will simply stop paying, so they knowing buyer is defrauded because they buy nothing, over the medium term.

The actual end user, likely losses short term access to the account and fends of any false billing, effectively their loss is the smallest, more an inconvenience, still really unfair though.

You have the company, well, their fiscal loss is likely to be the greatest, loss of customer trust, security costs to try to stop it happening, remedial costs to return the account securely to the rightful holder, plus any losses that occurred during the period of illegal access.

The perpetrator has left a trail of victims all over the place but then all he need do is pull the American trick, claim a corporation did it all and they can prosecute the corporation, whilst the perpetrator wanders off with their golden parachute. Works for one end of town, why can't it work for the other, oh, that right, it's a criminally corrupt practice, protected by corrupt psychopaths in government, paid off by corrupt corporate executives who are also clinical psychopaths.

Re:How Were The Real Victims

We must always think of the real victims! For example, I'm always worried that if an Islamic terrorist was somehow able to detonate a nuclear device in America and kill 50 million people there would be a major rise in islamophobia that might cause a backlash against innocent muslims! We have to remember the real victims!

Re:How Were The Real Victims

The US response to 9/11 was bad enough. But any Islamists detonating a nuclear device in the US would eliminate islamophobia. By the time the US finished retaliating there wouldn't be enough Islamists left to hate.

Re:How Were The Real Victims

[Hognoxious]

So the people who bought those usernames and passwords, well they were naughty people and knew full well what they were doing and yet in reality, once the actual holder of the username password finds out, they alter the account and the person who bought it has nothing, they can not lock the real user out because they will simply stop paying, so they knowing buyer is defrauded because they buy nothing, over the medium term.

If the Energizer bunny was a sentence it would be this one.

Re:How Were The Real Victims

http://i.4cdn.org/pol/1552703718819.webm

Re:How Were The Real Victims

[Mr.+Dollar+Ton]

Man, the Tom Clancy books are fiction. Bad, bad fiction. Get a real life, stop worrying about things that ain't gonna happen.

Re:How Were The Real Victims

Arrested. Why, no crime was committed. Why the FBI, Australian jurisdiction only. Lastly it is CIVIL. The various companies may bring a civil suit.
Also it is more likely there was a breach, and these companies broke the law by not reporting it. Can't go to court with dirty hands is usually the law.
OTOH resources wasted on delayed teenagers of low value mean more time for the real gangs and religious shooters and bikeies to do their stuff.

Re:How Were The Real Victims

Agreed. It's complete fiction that Saudi Arabia would sponsor Islamic terrorists to pilot two
commercial airlines into skyscrapers in New York city, a third into the Pentagon, and a 4th
into an unknown target (because some amazingly brave passengers stopped that).

Or that Jamal Khashoggi slipped and fell repeatably on a hacksaw which resulted in his
death and dismemberment; and at the kind hands of a Saudi prince who, at the time of the
terrible accident, was merely trying desperately to save his life. (Whose his is it, I wonder?)

So, yes, there are nut jobs out there, irrespective of religion, who would have no qualms
about doing some of the things from a Tom Clancy book.

Re:How Were The Real Victims

[KingMotley]

This isn't a civil offense in the US. I am not a lawyer, but I suspect the following applies: 18 U.S. Code 1030(a)(5)(A) and 18 U.S. Code 1030(a)(6)(A): https://www.law.cornell.edu/us...

Is that wrong? Nothing of value "lost".

So no, that is not. Maybe to MAAAANSSS' law, but face it, it's just 1s and 0s and it is not a crime to capture those, not in any particular order. I am forwarding this account to Mr. Trump. He will see to it that I am put in the right place. Prepare to feel my wrath.

but but but

but freedum of speach!!!!!

Re:Now I can Finally

[Lord+Kano]

What does R. Kelly have to do with this?

Any takers?

[Plus1Entropy]

I bet he gets more jail time than Manafort. The system is fucking broken.

Clearnet?!

[denis.goddard]

So wait. This guy set up his site for selling stolen credentials on the CLEARNET? Did he accept payment in PayPal as well? What an idiot. Doesnâ(TM)t he know, situations like this are why God invented the darknet?

Re:Clearnet?!

There's no such thing as "the clearnet". That's like calling normal people "cis-gendered". You don't need to make up new words for "normal."

Re:Huh

[wolfheart111]

nothing... u lost me.... :|