October 18, 2016
Popular streaming video service Netflix has reset the passwords of some subscribers whose logins it says were exposed at some time in an unrelated network intrusion, according to published accounts. A writer for Lost Remote, an AdWeek-owned blog covering “social TV,” said he received an email from Netflix warning him the company believes his “account credentials may have been included in a recent release of email addresses and passwords from an older breach at another company. Just to be safe, we’ve reset your password as a precautionary measure.”
Account takeover fraud, a type of fraud that occurs when criminals can use stolen login credentials to access multiple accounts because consumers typically reuse passwords, is becoming more common as more merchants ask consumers to establish accounts and keep cards on file in an effort to provide a more frictionless checkout experience. Increasingly, e-commerce merchants are running lists of hacked email/password combinations (usually obtained on the dark web) against their own customer base to see if their users—and consequently the merchants themselves—are at risk of ATO. In the event that a company finds a match between one of their users and a compromised password, the company can suggest the user reset the password or, like Netflix in this case, proactively reset it for the user.