An Oregon man who authorities say stole and resold customers’ credentials for Netflix and other streaming services has been indicted on fraud charges, the US Attorney’s office announced.
According to the indictment, Samuel Joyner and Evan McMahon stole and sold more than 200,000 customer account credentials — for streaming services including Netflix, HBO Max, and Spotify Premium — as part of the operation of an online service called AccountBot. Users of the site paid a subscription fee to obtain others’ credentials for paid streaming services at a lower rate than the services charged.
As of March 2019, the service allegedly had some 52,000 customers and offered more than 217,000 stolen streaming account credentials.
AccountBot allegedly obtained those credentials through hacking. The indictment alleges that the two men used credential stuffing attacks — essentially taking login details from public breaches and reusing the information on other sites. Such attacks often work because people reuse the same passwords and usernames on many sites. Joyner and McMahon used an automated tool to verify the stolen credentials.
AccountBot customers paid between $1.79 and $24.99 for access to the stolen credentials, depending on how long and which service they wanted to access. The DOJ says McMahon managed payments and coded the AccountBot website, while Joyner acquired the stolen credentials and handled AccountBot customer service.
Netflix and other streaming services have dealt with a variety of password-stealing schemes and other scams for years. Netflix announced earlier this year it was trying to crack down on password-sharing among its customers; even if you’re only sharing account access with people you know, the more people who have the info, the greater the chances that info could be compromised. According to analysis from research firm Parks Associates, password piracy and sharing cost streaming services like Netflix, Hulu, and Disney Plus $9 billion a year.
McMahon was prosecuted for similar offenses in the District Court of New South Wales in Sydney, according to the DOJ, and last month was sentenced to two years and two months by way of intensive corrections order.
Joyner is charged with conspiracy to commit computer and access device fraud, trafficking and use of unauthorized access devices, and possession of more than 15 unauthorized access devices. He was arrested Wednesday by the FBI and pleaded not guilty at an arraignment before a US magistrate judge. He’s scheduled to stand trial on the charges July 13th.
The charges of conspiracy to commit computer and access device fraud carry a max sentence of five years in federal prison. Trafficking and use of unauthorized access devices and possession of 15 or more unauthorized access devices are each punishable by up to 10 years in federal prison.