Why would someone open a Netflix account using my Gmail address?

Question

This is something that happened to me a few months ago. I don't know if it is a hack attempt, although I can't think of any way that there could be any danger or any personal information gained.

I don't have a Netflix account and never have done. I have a Gmail address which I have never used for public communication. Suddenly I started getting email to this Gmail address from Netflix - not a "Welcome to Netflix" email or one requesting address verification, but what looked like a monthly promo for an existing account. This was addressed to someone with a different real name, with that name not similar in any way to the Gmail name.

After a few of these messages I decided to investigate by going to Netflix and trying to log in with that email address. Using the "forgotten password" option I was able to get a password reset email, change the password and log in. The account appeared to be from Brazil, with some watch history but no other personal details stored and no payment information.

Soon the emails from Netflix started to ask me to update payment information. I didn't, of course, and then they changed to "your account will be suspended" and then "your account has been suspended". The "come back to Netflix" emails are still coming in occasionally.

I don't see how this could possibly be a phishing attempt - I carefully checked that I was on the real Netflix site, used a throwaway password not used on any other sites, and did not enter any of my personal information. I also checked the headers of the emails carefully and they were sent by Netflix. So is this just a mistake on somebody's part, mistyping an email address (although it's surprising that Netflix accepted it with no verification), or something more sinister?

Are you sure these emails were coming from the actual Netflix? — Hatted Rooster, May 12 '19 at 20:18
Did you click the links in the email to reset your password? Or did you actually type w w w . n e t f l i x . c o m into a browser with your fingers? That first one is how they getcha... — Harper - Reinstate Monica, May 12 '19 at 23:24
BTW, what you did was **knowingly** locking someone out of their account and accessing their info, which may get you heavy fines or jail time. The probability of that is of course small, but remember that lady who shared a handful of songs on e-mule, then was asked to pay $10'000 per song: I bet she didn't expect it either. — Dmitry Grigoryev, May 13 '19 at 08:20
@DmitryGrigoryev IBTD. That other person willingly used the OP's email address and had to expect this as well. — glglgl, May 13 '19 at 09:42
@DmitryGrigoryev Yeah no. What OP did was lock their front door when somebody else was letting themselves in uninvited and using their living room to watch TV. — Konrad Rudolph, May 13 '19 at 09:55
@KonradRudolph Just to make it clear, by "account" I mean the Netflix account, not the Gmail account. — Dmitry Grigoryev, May 13 '19 at 10:47
@DmitryGrigoryev I am aware. To stretch my metaphor a bit, what OP did was rifle through the handbag that the intruder left behind in OP’s living room, to look for ID. — Konrad Rudolph, May 13 '19 at 11:05
No scam, no phishing, nothing. This is not even for this site in my opinion. It's pretty basic: Since it is not a new account, we can say that the person didn't use a random email for free trial. But that is most likely the goal - they changed the account's email address to some random one so they could create a new trial account with their old email address. — Fanatique, May 13 '19 at 11:38
I have several Gmail accounts, and one of them gets account signups like this all the time. They're all harmless. It's a short and surprisingly popular name, so I think it's either due to typos or someone confusing their email domains. I once did have someone try repeatedly to reset my Gmail password, but that stopped after I changed the text of my security question to "This is not your account, person from IP abc.def.ghi.jkl". — Matthew Read, May 13 '19 at 15:43
I recommend setting up a Gmail filter so that mail sent to your-address-without-dots will automatically get a tag added to it. Name the tag "caution" or "no-dots" to make it easier to detect when a message needs additional scrutiny. — bta, May 13 '19 at 21:55
I've had someone use my gmail address to sign up to numerous things -- I think their address is one letter off from mine. Most recently they used it to sign up with Groupon. I can't find a way to contact Groupon without signing into the account (that I didn't create), so I just mark the emails as spam and get on with my life. — Roger Lipscombe, May 14 '19 at 14:46
@DmitryGrigoryev Don't be absurd. OP did absolutely nothing illegal here. — user91988, May 14 '19 at 18:24
@only_pro I also find a $10'000 fine per shared song absurd, but the judge might not. So it's really a poor defense. — Dmitry Grigoryev, May 15 '19 at 07:54
@KonradRudolph The point made by Dmitry is fair, the other party (B) never entered OP's house or anything. More similar would be that B signed up for a swimming club and wrote in the address field the address of the OP. Next the OP used this information to maliciously gain access to B's account. B is definitely scamming and lying on the signup form, but OP gaining access to B's account without permission would in certain countries be of questionable legality as well. The biggest fault lies with Netflix here though for not verifying the email. — David Mulder, May 15 '19 at 13:49
@DavidMulder There’s no malice here. B’s lawyer might well try to argue this but an accusation of malice requires strong positive evidence. — Konrad Rudolph, May 15 '19 at 14:48
Something similar happens to me. I create unique email addresses for every service I use. So when I received a Netflix email at an address designated to “omgpop.com” I was confused. I see now that omgpop was hacked, leaking this email address into the wild. But why use this to create a Netlifx account? — Nathan H, Apr 01 '20 at 08:33

jamesdlin · Accepted Answer · 2019-05-13T22:34:23.950

184

I think it's likely that someone is trying to trick you into paying for Netflix for them. From: https://jameshfisher.com/2018/04/07/the-dots-do-matter-how-to-scam-a-gmail-user/:

More generally, the phishing scam here is:

Hammer the Netflix signup form until you find a gmail.com address which is “already registered”. Let’s say you find the victim jameshfisher.

Create a Netflix account with address james.hfisher.

Sign up for free trial with a throwaway card number.

After Netflix applies the “active card check”, cancel the card.

Wait for Netflix to bill the cancelled card. Then Netflix emails james.hfisher asking for a valid card.

Hope Jim reads the email to james.hfisher, assumes it’s for his Netflix account backed by jameshfisher, then enters his card **** 1234.

Change the email for the Netflix account to eve@gmail.com, kicking Jim’s access to this account.

Use Netflix free forever with Jim’s card **** 1234!

(Note that the above steps don't include any "password reset" step for Jim to access the account; that's because the email from Netflix includes authenticated links that won't ask for it. The attacker wants the victim to click on the email links instead of visiting Netflix manually, this is what enables "Eve" to log back in to the account in step 7. Or, since Netflix emails authenticated links, possibly "Eve" already has one.)

The above situation is partially caused by Netflix (understandably) not recognizing Gmail's "dots don't matter" feature where email sent to foo.bar@example.com and to foobar@example.com end up in the same account. That doesn't really matter in your case (given that if this is how you're trying to be scammed, step 1 was skipped entirely), however.

A bigger problem is that Netflix apparently still allows people to register email addresses to accounts without verification.

edited May 13 '19 at 22:34

answered May 12 '19 at 21:19

jamesdlin

2,055
1
12
13

@AndrewSavinykh Many people would fall for that too. You see an activation email and just click the link even though it will actually activates Eve account. Plenty of people will fall for that even though receiving an activation email for an account you already activated should be highly suspicious. – Giacomo Alzetta May 13 '19 at 07:05
10

I could have sworn I once found the "dots don't matter" feature of gmail specified in an RFC, but I can't seem to find it. – Wildcard May 13 '19 at 07:07
1

@Wildcard as far as I know it's a gmail-only feature, as well as the `+` – Gizmo May 13 '19 at 07:26
19

@Gizmo Ignoring a dot in an e-mail address is an awkward security hole, IMHO. But separating the e-mail address from a filter by `+` is pretty common. In Debian's Postfix default configuration, it reads: `recipient_delimiter = +`. – rexkogitans May 13 '19 at 08:01
@rexkogitans Why is that a security hole (assuming ignoring dots is consistent with registration)? – Cedric Reichenbach May 13 '19 at 09:01
8

@CedricReichenbach It is not a security hole for Google, but it is a massive invitation for phishing attacks exactly as shown as in jamesdlin's example: Other sites using e-mail addresses as login. – rexkogitans May 13 '19 at 09:18
4

@Gizmo `+` is NOT gmail only. – glglgl May 13 '19 at 09:44
36

The answer to your puzzlement at step 7 is that in the standard pattern there is no password reset. OP sensibly went directly to the Netflix site to gain access, but the e-mail they received contained links with auth tokens which would have allowed changing the credit card without knowing the password. That's a major fail by Netflix, where they're prioritising convenience of paying them over the customer's security. – Peter Taylor May 13 '19 at 10:27
@PeterTaylor Ahh, thanks for the explanation. I was confused because the article mentioned the authenticated links but also that he went through the password reset process. – jamesdlin May 13 '19 at 15:03
5

The only server that should even attempt to parse the part before the @ sign is gmail.com, as per [RFC 5321, section 2.3.11](https://tools.ietf.org/html/rfc5321#section-2.3.11). Netflix is doing nothing wrong. – corvus_192 May 13 '19 at 20:06
I'd probably add another step 0 to this: Connect to Netflix in some manner such that they can't trace you. Otherwise, it seems that you're likely to have problems on your hands when the victim calls Netflix after getting an extra charge on their credit card and Netflix traces the IP address of the person using the fraudulent account. – reirab May 13 '19 at 23:04
39

@corvus_192 While I don't disagree that Netflix is doing nothing wrong regarding the way it honors dots in email addresses, Netflix *is* doing something wrong by not verifying ownership of the provided email address – jamesdlin May 14 '19 at 05:00
1

`Netflix (understandably) not recognizing Gmail's "dots don't matter" feature` I don't think that's particularly understandable, given that this feature is widely known. Yes, Google are a bunch of ship dits for creating that feature, but it exists and we have to deal with it unfortunately. – Ian Kemp May 14 '19 at 07:12
4

Thanks for all the helpful answers. Just to clarify, I did not follow any links in any emails but went directly to Netflix's site. Still very surprised, though, that a major website like Netflix doesn't follow standard security practice in a number of ways: (a) allows signing up or changing an email address without verifying that it belongs to that person; (b) does not take account of Gmail's dot-in-email "feature"; (c) sends links with auth tokens in emails. – user2760608 May 14 '19 at 10:17
@user2760608 Indeed: (a) (not verifying the email address) is strange. – Peter - Reinstate Monica May 15 '19 at 10:51
5

So netflix should 1) verify email address 2) Require password when changing payment options – miva2 May 15 '19 at 13:28
2

@IanKemp The "dots don't matter" feature prevents a LOT of misaddressed mails, so it's a good thing in my book. I used as my email for awhile david.mulder@somedomainiowned.com and I know for a fact that people missaddressed mails davidmulder@somedomainiowned.com (as I had a catch-all set up). – David Mulder May 15 '19 at 13:51
@IanKemp, there are other variations of the “dot's don't matter” feature anyway. If Netflix properly verified ownership of the address, it wouldn't be an issue. Nor if it wasn't sending token-pre-authenticated links in emails. Those are the problems. – Jan Hudec May 15 '19 at 18:26
I fail to see how this might apply to the OPs scenario, since the OP never had a Netflix account to begin with? – MrWhite May 15 '19 at 20:51
@MrWhite As I said, *if* this is what is being attempted, then "Eve" skipped step 1. Possibly that's out of laziness, possibly it's out of hope that the victim signed up with Netflix using a non-Gmail address (and doesn't notice). Regardless, I think the intention is to trick the victim into paying for Netflix for someone else. – jamesdlin May 15 '19 at 21:13

score 49 · Answer 2 · answered May 12 '19 at 15:14

49

The most probable situation is that someone used an arbitrary Gmail address (yours) in order to sign up for a free trial, or mistakenly tried to change their email to the wrong address (maybe to have a friend/family also get emails).

This would not be a "hack" or even a phishing attempt, just using any available address. This does mean that your Gmail address could not be used for a free trial at Netflix, so there is that negative impact to you.

As a side note, by logging into someone else's account, you have violated many country's "unauthorised access" laws. I would not make a habit of doing this (or telling others on public sites that you have".

answered May 12 '19 at 15:14

schroeder

125,553
55
289
326

Hmm, apparently the "your account has been suspended" is seen a lot in the wild [when it comes to phising](https://www.hoax-slayer.net/netflix-your-account-is-suspended-phishing-scam/). Maybe this is indeed a phising attempt and the phisers wanted OP to click on Forgotten password to give up a re-used password. Or to add payment information. – Hatted Rooster May 12 '19 at 20:17
71

If someone registers an account with your information, is it really their account? – Nonny Moose May 12 '19 at 21:48
8

@NonnyMoose I would argue the account still belongs to the person who created it. If a package with your name on it is shipped to the wrong address, does the person who lives there have the right to open your package? Also, the account likely has personal information belonging to the account's true creator/owner - name, address, date of birth, etc. The OP also hasn't accepted any terms and conditions or any other prerequisites for creating an account. In this instance, I would email Netflix and explain the situation to them rather than log into the account and snoop around. – rshepp May 12 '19 at 23:27
8

This is almost certainly someone abusing Netflix's free trials, not directly attacking OP. – Roland Heath May 13 '19 at 01:01
6

@NonnyMoose based on my limited legal knowledge, accounts always belong to people (physical human beings) and never to the different virtual manifestations of people that exist – DreamConspiracy May 13 '19 at 01:56
5

This is likely the correct idea. I'm saying that because the same happened to me some 2-3 months ago.Without anything else, I wrote to customer support "I got this e-mail, ref no. blah blah, and I am not a customer of yours". Reply was like: "Oh, well thank you for the notice, we have deactivated the account". – Damon May 13 '19 at 11:07
1

@rshepp this is not a "package delivered to the wrong address by mistake" this is a PersonAB saying "I want this to be sent to Person XY, put his name and address on it" – Mischa May 14 '19 at 13:21
2

Everyone: the concept of "authorised access" has ***nothing*** to do with who's name or email is on the account or how easy it is to log in. As security professionals, please understand this basic legal point. If someone with my name opens an account and mistakenly uses my email address instead of his own, closely related email address, that does not mean that I am authorised to access the account. – schroeder May 14 '19 at 13:23
@Mischa From the original question: _"This was addressed to someone with a different real name, with that name not similar in any way to the Gmail name."_ – rshepp May 15 '19 at 00:52
@rshepp Re "The OP also hasn't accepted any terms and conditions or any other prerequisites for creating an account": Good for them ;-). Never agreed, cannot violate. (This may or may not affect any other legal assessments, like whether the OP violated the vague [CFAA](https://www.law.cornell.edu/uscode/text/18/1030). ) – Peter - Reinstate Monica May 15 '19 at 10:58

score 12 · Answer 3 · edited May 14 '19 at 07:01

12

Because of the "dots don't matter" gmail policy, this is not likely to be someone else's bona fide Netfix account, unless a typo has occurred in the name other than dot placement.
Even so, you should not hijack this account, it is not yours. So no changing the email address to another domain.
The scam depends upon you having a Netflix account, and using your gmail address for logon.
They are unlikely to have harvested your gmail account from Netfix, nor one that is "dot agnostically similar" (!), but again, typos.
Just send a good example to Netflix, and create a rule to bucket future emails.

I don't even use my gmail address for Google.

edited May 14 '19 at 07:01

schroeder

125,553
55
289
326

answered May 13 '19 at 05:48

mckenzm

487
2
6

I don't see how the "dots don't matter" policy factors into things here. – iheanyi May 14 '19 at 16:59
Because if the dots mattered, gmail would not deliver mail to you with non-matching dots. Netflix sees two addresses. gmail.com sees them as the same address. OP does not have Netflix, so unless it is a speculative attack, the normal gmail address of the OP was not scraped from Netflix after a collision. – mckenzm May 14 '19 at 23:04
3

In regards to "Dots don't matter", other addresses without said dots can't exist: "Your Gmail address is unique. If anyone tries to create a Gmail account with a dotted version of your username, they'll get an error saying the username is already taken. For example, if your address is johnsmith@gmail.com, no one can sign up for j.o.h.n.s.m.i.t.h@gmail.com." – David M May 15 '19 at 01:33
5

But they can send email to j.o.h.n.s.m.i.t.h@gmail.com, and so can Netflix. It still resolves to johnsmith@gmail.com once it hits the gmail servers. – mckenzm May 15 '19 at 02:10
1

Sure, but "the dots" were not an issue here. So I cannot see how your answer is relevant to this question. Making true statements about something tangentially related does not an answer make. – iheanyi May 16 '19 at 02:43

The Programmer · Answer 4 · 2019-09-27T19:56:15.473

This is a common occurrence due to e-mail address confusion.

I get dozens to hundreds of e-mails from legitimate companies (car dealers, LA dept of water and power, Macys.com, cell phone activation notes, the payroll company ADP, and Nationwide insurance) from people with my first name and an initial matching my last name.

The companies could solve it AND improve security with a "double-opt-in" step of requiring you to confirm an e-mail address before it's used.

The worst was in early 2019, when I received medical records (Lab results in a .PDF file) - a clear HIPAA violation, since e-mail isn't an authenticated or encrypted communications channel. The "medical records" person, who should know the law, was the sender of the e-mail.

In my case, none of them are nefarious, but represent clueless users or even worse, clueless sales clerks (such as Lenscrafters in Maryland), the Apple store in Manhattan, and others too numerous to mention.

If people want to make up an address - then first.last@example.com - is the best one to use. It is invalid by definition in the Internet RFCs.

In hindsight, I realized that my gmail address is too short, and it should have the same length as a password (about 15 characters).

Actually, its not a HIPAA violation if the record belonged to the intended recipient and the intended recipient requested that the information be transmitted in an insecure fashion and they were made to understand the dangers before transmission and still opted to have it sent in that way. — Matthew Goheen, May 15 '19 at 18:02
I've also gotten medical reports (x-rays), but my best example of such a first-initial wrong email was a job offer to work at the Department of Homeland Security. — Noah Snyder, May 15 '19 at 19:13
I get all sorts of rubbish, including at one point in time 7 separate Skype accounts all using the same email address. It can be impossibly difficult to be removed from an account - for example the OnStar account that still tells me someone's tire pressure every month, but Skype is easy, although rate-limited to some number per day (3?). — Peter, Mar 16 '20 at 06:11

score 5 · Answer 5 · answered May 15 '19 at 18:57

There's another possibility that nobody else has identified. Someone created a trial Netflix account with your gmail address in an attempt to see if you already have a Netflix account.

If the UI returns that that email address is already used, then it identifies it as an account to try dictionary based login attempts against.

score 1 · Answer 6 · answered May 19 '20 at 20:17

I got emails from Netflix too saying that my account was cancelled and that there was a sign in attempt somewhere from the US... except that I live in Canada, and have never made a Netflix account in the first place. I went directly to the Netflix website and was able to speak to a representative, and they deleted the account. There was no payment information either. I don't understand why this happened, either someone has a similar email address yet without the dots, or perhaps there is some sinister reason, but I wouldn't know. I've wondered if someone might do this hoping that the other person would fill in their payment information, thus enabling the account.

Welcome to Information Security! This doesn't really answer the question, it's more of an 'I'm having this problem too' post. If you have sufficient reputation, [you may upvote](//security.stackexchange.com/privileges/vote-up) the question. Alternatively, "star" it as a favorite and you will be notified of any new answers. Please read the Help Center article [answer] to see what we expect from an answer. — Glorfindel, May 19 '20 at 20:41

Why would someone open a Netflix account using my Gmail address?

6 Answers6

Linked