Why would someone open a Netflix account using my Gmail address?

  • This is something that happened to me a few months ago. I don't know if it is a hack attempt, although I can't think of any way that there could be any danger or any personal information gained.

    I don't have a Netflix account and never have done. I have a Gmail address which I have never used for public communication. Suddenly I started getting email to this Gmail address from Netflix - not a "Welcome to Netflix" email or one requesting address verification, but what looked like a monthly promo for an existing account. This was addressed to someone with a different real name, with that name not similar in any way to the Gmail name.

    After a few of these messages I decided to investigate by going to Netflix and trying to log in with that email address. Using the "forgotten password" option I was able to get a password reset email, change the password and log in. The account appeared to be from Brazil, with some watch history but no other personal details stored and no payment information.

    Soon the emails from Netflix started to ask me to update payment information. I didn't, of course, and then they changed to "your account will be suspended" and then "your account has been suspended". The "come back to Netflix" emails are still coming in occasionally.

    I don't see how this could possibly be a phishing attempt - I carefully checked that I was on the real Netflix site, used a throwaway password not used on any other sites, and did not enter any of my personal information. I also checked the headers of the emails carefully and they were sent by Netflix. So is this just a mistake on somebody's part, mistyping an email address (although it's surprising that Netflix accepted it with no verification), or something more sinister?

    Are you sure these emails were coming from the actual Netflix?

    Did you click the links in the email to reset your password? Or did you actually type w w w . n e t f l i x . c o m into a browser with your fingers? That first one is how they getcha...

    BTW, what you did was **knowingly** locking someone out of their account and accessing their info, which may get you heavy fines or jail time. The probability of that is of course small, but remember that lady who shared a handful of songs on e-mule, then was asked to pay $10'000 per song: I bet she didn't expect it either.

    @DmitryGrigoryev IBTD. That other person willingly used the OP's email address and had to expect this as well.

    @DmitryGrigoryev Yeah no. What OP did was lock their front door when somebody else was letting themselves in uninvited and using their living room to watch TV.

    @KonradRudolph Just to make it clear, by "account" I mean the Netflix account, not the Gmail account.

    @DmitryGrigoryev I am aware. To stretch my metaphor a bit, what OP did was rifle through the handbag that the intruder left behind in OP’s living room, to look for ID.

    No scam, no phishing, nothing. This is not even for this site in my opinion. It's pretty basic: Since it is not a new account, we can say that the person didn't use a random email for free trial. But that is most likely the goal - they changed the account's email address to some random one so they could create a new trial account with their old email address.

    I have several Gmail accounts, and one of them gets account signups like this all the time. They're all harmless. It's a short and surprisingly popular name, so I think it's either due to typos or someone confusing their email domains. I once did have someone try repeatedly to reset my Gmail password, but that stopped after I changed the text of my security question to "This is not your account, person from IP abc.def.ghi.jkl".

    I recommend setting up a Gmail filter so that mail sent to your-address-without-dots will automatically get a tag added to it. Name the tag "caution" or "no-dots" to make it easier to detect when a message needs additional scrutiny.

    I've had someone use my gmail address to sign up to numerous things -- I think their address is one letter off from mine. Most recently they used it to sign up with Groupon. I can't find a way to contact Groupon without signing into the account (that I didn't create), so I just mark the emails as spam and get on with my life.

    @DmitryGrigoryev Don't be absurd. OP did absolutely nothing illegal here.

    @only_pro I also find a $10'000 fine per shared song absurd, but the judge might not. So it's really a poor defense.

    @KonradRudolph The point made by Dmitry is fair, the other party (B) never entered OP's house or anything. More similar would be that B signed up for a swimming club and wrote in the address field the address of the OP. Next the OP used this information to maliciously gain access to B's account. B is definitely scamming and lying on the signup form, but OP gaining access to B's account without permission would in certain countries be of questionable legality as well. The biggest fault lies with Netflix here though for not verifying the email.

    @DavidMulder There’s no malice here. B’s lawyer might well try to argue this but an accusation of malice requires strong positive evidence.

    Something similar happens to me. I create unique email addresses for every service I use. So when I received a Netflix email at an address designated to “omgpop.com” I was confused. I see now that omgpop was hacked, leaking this email address into the wild. But why use this to create a Netlifx account?

  • jamesdlin

    jamesdlin Correct answer

    2 years ago

    I think it's likely that someone is trying to trick you into paying for Netflix for them. From: https://jameshfisher.com/2018/04/07/the-dots-do-matter-how-to-scam-a-gmail-user/:

    More generally, the phishing scam here is:

    1. Hammer the Netflix signup form until you find a gmail.com address which is “already registered”. Let’s say you find the victim jameshfisher.
    2. Create a Netflix account with address james.hfisher.
    3. Sign up for free trial with a throwaway card number.
    4. After Netflix applies the “active card check”, cancel the card.
    5. Wait for Netflix to bill the cancelled card. Then Netflix emails james.hfisher asking for a valid card.
    6. Hope Jim reads the email to james.hfisher, assumes it’s for his Netflix account backed by jameshfisher, then enters his card **** 1234.
    7. Change the email for the Netflix account to [email protected], kicking Jim’s access to this account.
    8. Use Netflix free forever with Jim’s card **** 1234!

    (Note that the above steps don't include any "password reset" step for Jim to access the account; that's because the email from Netflix includes authenticated links that won't ask for it. The attacker wants the victim to click on the email links instead of visiting Netflix manually, this is what enables "Eve" to log back in to the account in step 7. Or, since Netflix emails authenticated links, possibly "Eve" already has one.)

    The above situation is partially caused by Netflix (understandably) not recognizing Gmail's "dots don't matter" feature where email sent to [email protected] and to [email protected] end up in the same account. That doesn't really matter in your case (given that if this is how you're trying to be scammed, step 1 was skipped entirely), however.

    A bigger problem is that Netflix apparently still allows people to register email addresses to accounts without verification.

    @AndrewSavinykh Many people would fall for that too. You see an activation email and just click the link even though it will actually activates Eve account. Plenty of people will fall for that even though receiving an activation email for an account you already activated should be highly suspicious.

    I could have sworn I once found the "dots don't matter" feature of gmail specified in an RFC, but I can't seem to find it.

    @Wildcard as far as I know it's a gmail-only feature, as well as the `+`

    @Gizmo Ignoring a dot in an e-mail address is an awkward security hole, IMHO. But separating the e-mail address from a filter by `+` is pretty common. In Debian's Postfix default configuration, it reads: `recipient_delimiter = +`.

    @rexkogitans Why is that a security hole (assuming ignoring dots is consistent with registration)?

    @CedricReichenbach It is not a security hole for Google, but it is a massive invitation for phishing attacks exactly as shown as in jamesdlin's example: Other sites using e-mail addresses as login.

    @Gizmo `+` is NOT gmail only.

    The answer to your puzzlement at step 7 is that in the standard pattern there is no password reset. OP sensibly went directly to the Netflix site to gain access, but the e-mail they received contained links with auth tokens which would have allowed changing the credit card without knowing the password. That's a major fail by Netflix, where they're prioritising convenience of paying them over the customer's security.

    @PeterTaylor Ahh, thanks for the explanation. I was confused because the article mentioned the authenticated links but also that he went through the password reset process.

    The only server that should even attempt to parse the part before the @ sign is gmail.com, as per RFC 5321, section 2.3.11. Netflix is doing nothing wrong.

    I'd probably add another step 0 to this: Connect to Netflix in some manner such that they can't trace you. Otherwise, it seems that you're likely to have problems on your hands when the victim calls Netflix after getting an extra charge on their credit card and Netflix traces the IP address of the person using the fraudulent account.

    @corvus_192 While I don't disagree that Netflix is doing nothing wrong regarding the way it honors dots in email addresses, Netflix *is* doing something wrong by not verifying ownership of the provided email address

    `Netflix (understandably) not recognizing Gmail's "dots don't matter" feature` I don't think that's particularly understandable, given that this feature is widely known. Yes, Google are a bunch of ship dits for creating that feature, but it exists and we have to deal with it unfortunately.

    Thanks for all the helpful answers. Just to clarify, I did not follow any links in any emails but went directly to Netflix's site. Still very surprised, though, that a major website like Netflix doesn't follow standard security practice in a number of ways: (a) allows signing up or changing an email address without verifying that it belongs to that person; (b) does not take account of Gmail's dot-in-email "feature"; (c) sends links with auth tokens in emails.

    @user2760608 Indeed: (a) (not verifying the email address) is strange.

    So netflix should 1) verify email address 2) Require password when changing payment options

    @IanKemp The "dots don't matter" feature prevents a LOT of misaddressed mails, so it's a good thing in my book. I used as my email for awhile [email protected] and I know for a fact that people missaddressed mails [email protected] (as I had a catch-all set up).

    @IanKemp, there are other variations of the “dot's don't matter” feature anyway. If Netflix properly verified ownership of the address, it wouldn't be an issue. Nor if it wasn't sending token-pre-authenticated links in emails. Those are the problems.

    I fail to see how this might apply to the OPs scenario, since the OP never had a Netflix account to begin with?

    @MrWhite As I said, *if* this is what is being attempted, then "Eve" skipped step 1. Possibly that's out of laziness, possibly it's out of hope that the victim signed up with Netflix using a non-Gmail address (and doesn't notice). Regardless, I think the intention is to trick the victim into paying for Netflix for someone else.

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM