Why would someone open a Netflix account using my Gmail address?Paypal Account created using my gmail accountHow could someone create a Facebook account with my email address without stealing it?Someone keeps using my email address. What to do?Don't understand how my mum's Gmail account was hackedProve ownership of a GMail accountFind the person behind an email address using its recovery email in GmailMail interception fraud

What's that funny "illo" I keep hearing in Southern Spain?

Does obfuscation give any measurable security benefit?

How do I remove 'None' items from the end of a list in Python

What are the branches of statistics?

Drawing a sequence of circles

Does any politician honestly want a No Deal Brexit?

How to find Enhantments or Artifacts that have multiple effects?

How do I count the number of elements in a list which are between two determined values?

If you revoke a certificate authority's certificate, do all of the certificates it issued become invalid as well?

How to deal with people whose priority is to not get blamed?

Why are second inversion triads considered less consonant than first inversion triads?

Is oxygen above the critical point always supercritical fluid? Would it still appear to roughly follow the ideal gas law?

Does Darwin owe a debt to Hegel?

Get injured / Get increased

When was the famous "sudo warning" introduced? Under What Background? By whom?

Advisor asked for my entire slide presentation so she could give the presentation at an international conference

Does immunity to fear prevent a mummy's Dreadful Glare from paralyzing a character?

Idiom for a situation or event that makes one poor or even poorer?

How to extract *.tgz.part-*?

100% positive Glassdoor employee reviews, 100% negative candidate reviews

Code Golf Measurer © 2019

If I did not sign promotion bonus document, my career would be over. Is this duress?

Hebrew Vowels change the word

Does the US require a House vote to begin an impeachment inquiry?



Why would someone open a Netflix account using my Gmail address?


Paypal Account created using my gmail accountHow could someone create a Facebook account with my email address without stealing it?Someone keeps using my email address. What to do?Don't understand how my mum's Gmail account was hackedProve ownership of a GMail accountFind the person behind an email address using its recovery email in GmailMail interception fraud






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty
margin-bottom:0;









86

















This is something that happened to me a few months ago. I don't know if it is a hack attempt, although I can't think of any way that there could be any danger or any personal information gained.



I don't have a Netflix account and never have done. I have a Gmail address which I have never used for public communication. Suddenly I started getting email to this Gmail address from Netflix - not a "Welcome to Netflix" email or one requesting address verification, but what looked like a monthly promo for an existing account. This was addressed to someone with a different real name, with that name not similar in any way to the Gmail name.



After a few of these messages I decided to investigate by going to Netflix and trying to log in with that email address. Using the "forgotten password" option I was able to get a password reset email, change the password and log in. The account appeared to be from Brazil, with some watch history but no other personal details stored and no payment information.



Soon the emails from Netflix started to ask me to update payment information. I didn't, of course, and then they changed to "your account will be suspended" and then "your account has been suspended". The "come back to Netflix" emails are still coming in occasionally.



I don't see how this could possibly be a phishing attempt - I carefully checked that I was on the real Netflix site, used a throwaway password not used on any other sites, and did not enter any of my personal information. I also checked the headers of the emails carefully and they were sent by Netflix. So is this just a mistake on somebody's part, mistyping an email address (although it's surprising that Netflix accepted it with no verification), or something more sinister?










share|improve this question
























  • 41





    Did you click the links in the email to reset your password? Or did you actually type w w w . n e t f l i x . c o m into a browser with your fingers? That first one is how they getcha...

    – Harper
    May 12 at 23:24






  • 24





    @DmitryGrigoryev IBTD. That other person willingly used the OP's email address and had to expect this as well.

    – glglgl
    May 13 at 9:42






  • 31





    @DmitryGrigoryev Yeah no. What OP did was lock their front door when somebody else was letting themselves in uninvited and using their living room to watch TV.

    – Konrad Rudolph
    May 13 at 9:55







  • 22





    @DmitryGrigoryev I am aware. To stretch my metaphor a bit, what OP did was rifle through the handbag that the intruder left behind in OP’s living room, to look for ID.

    – Konrad Rudolph
    May 13 at 11:05







  • 15





    I have several Gmail accounts, and one of them gets account signups like this all the time. They're all harmless. It's a short and surprisingly popular name, so I think it's either due to typos or someone confusing their email domains. I once did have someone try repeatedly to reset my Gmail password, but that stopped after I changed the text of my security question to "This is not your account, person from IP abc.def.ghi.jkl".

    – Matthew Read
    May 13 at 15:43

















86

















This is something that happened to me a few months ago. I don't know if it is a hack attempt, although I can't think of any way that there could be any danger or any personal information gained.



I don't have a Netflix account and never have done. I have a Gmail address which I have never used for public communication. Suddenly I started getting email to this Gmail address from Netflix - not a "Welcome to Netflix" email or one requesting address verification, but what looked like a monthly promo for an existing account. This was addressed to someone with a different real name, with that name not similar in any way to the Gmail name.



After a few of these messages I decided to investigate by going to Netflix and trying to log in with that email address. Using the "forgotten password" option I was able to get a password reset email, change the password and log in. The account appeared to be from Brazil, with some watch history but no other personal details stored and no payment information.



Soon the emails from Netflix started to ask me to update payment information. I didn't, of course, and then they changed to "your account will be suspended" and then "your account has been suspended". The "come back to Netflix" emails are still coming in occasionally.



I don't see how this could possibly be a phishing attempt - I carefully checked that I was on the real Netflix site, used a throwaway password not used on any other sites, and did not enter any of my personal information. I also checked the headers of the emails carefully and they were sent by Netflix. So is this just a mistake on somebody's part, mistyping an email address (although it's surprising that Netflix accepted it with no verification), or something more sinister?










share|improve this question
























  • 41





    Did you click the links in the email to reset your password? Or did you actually type w w w . n e t f l i x . c o m into a browser with your fingers? That first one is how they getcha...

    – Harper
    May 12 at 23:24






  • 24





    @DmitryGrigoryev IBTD. That other person willingly used the OP's email address and had to expect this as well.

    – glglgl
    May 13 at 9:42






  • 31





    @DmitryGrigoryev Yeah no. What OP did was lock their front door when somebody else was letting themselves in uninvited and using their living room to watch TV.

    – Konrad Rudolph
    May 13 at 9:55







  • 22





    @DmitryGrigoryev I am aware. To stretch my metaphor a bit, what OP did was rifle through the handbag that the intruder left behind in OP’s living room, to look for ID.

    – Konrad Rudolph
    May 13 at 11:05







  • 15





    I have several Gmail accounts, and one of them gets account signups like this all the time. They're all harmless. It's a short and surprisingly popular name, so I think it's either due to typos or someone confusing their email domains. I once did have someone try repeatedly to reset my Gmail password, but that stopped after I changed the text of my security question to "This is not your account, person from IP abc.def.ghi.jkl".

    – Matthew Read
    May 13 at 15:43













86












86








86


13






This is something that happened to me a few months ago. I don't know if it is a hack attempt, although I can't think of any way that there could be any danger or any personal information gained.



I don't have a Netflix account and never have done. I have a Gmail address which I have never used for public communication. Suddenly I started getting email to this Gmail address from Netflix - not a "Welcome to Netflix" email or one requesting address verification, but what looked like a monthly promo for an existing account. This was addressed to someone with a different real name, with that name not similar in any way to the Gmail name.



After a few of these messages I decided to investigate by going to Netflix and trying to log in with that email address. Using the "forgotten password" option I was able to get a password reset email, change the password and log in. The account appeared to be from Brazil, with some watch history but no other personal details stored and no payment information.



Soon the emails from Netflix started to ask me to update payment information. I didn't, of course, and then they changed to "your account will be suspended" and then "your account has been suspended". The "come back to Netflix" emails are still coming in occasionally.



I don't see how this could possibly be a phishing attempt - I carefully checked that I was on the real Netflix site, used a throwaway password not used on any other sites, and did not enter any of my personal information. I also checked the headers of the emails carefully and they were sent by Netflix. So is this just a mistake on somebody's part, mistyping an email address (although it's surprising that Netflix accepted it with no verification), or something more sinister?










share|improve this question

















This is something that happened to me a few months ago. I don't know if it is a hack attempt, although I can't think of any way that there could be any danger or any personal information gained.



I don't have a Netflix account and never have done. I have a Gmail address which I have never used for public communication. Suddenly I started getting email to this Gmail address from Netflix - not a "Welcome to Netflix" email or one requesting address verification, but what looked like a monthly promo for an existing account. This was addressed to someone with a different real name, with that name not similar in any way to the Gmail name.



After a few of these messages I decided to investigate by going to Netflix and trying to log in with that email address. Using the "forgotten password" option I was able to get a password reset email, change the password and log in. The account appeared to be from Brazil, with some watch history but no other personal details stored and no payment information.



Soon the emails from Netflix started to ask me to update payment information. I didn't, of course, and then they changed to "your account will be suspended" and then "your account has been suspended". The "come back to Netflix" emails are still coming in occasionally.



I don't see how this could possibly be a phishing attempt - I carefully checked that I was on the real Netflix site, used a throwaway password not used on any other sites, and did not enter any of my personal information. I also checked the headers of the emails carefully and they were sent by Netflix. So is this just a mistake on somebody's part, mistyping an email address (although it's surprising that Netflix accepted it with no verification), or something more sinister?







email account-security






share|improve this question
















share|improve this question













share|improve this question




share|improve this question








edited May 14 at 15:30









Machavity

3,0381 gold badge8 silver badges25 bronze badges




3,0381 gold badge8 silver badges25 bronze badges










asked May 12 at 15:01









user2760608user2760608

5361 gold badge2 silver badges6 bronze badges




5361 gold badge2 silver badges6 bronze badges










  • 41





    Did you click the links in the email to reset your password? Or did you actually type w w w . n e t f l i x . c o m into a browser with your fingers? That first one is how they getcha...

    – Harper
    May 12 at 23:24






  • 24





    @DmitryGrigoryev IBTD. That other person willingly used the OP's email address and had to expect this as well.

    – glglgl
    May 13 at 9:42






  • 31





    @DmitryGrigoryev Yeah no. What OP did was lock their front door when somebody else was letting themselves in uninvited and using their living room to watch TV.

    – Konrad Rudolph
    May 13 at 9:55







  • 22





    @DmitryGrigoryev I am aware. To stretch my metaphor a bit, what OP did was rifle through the handbag that the intruder left behind in OP’s living room, to look for ID.

    – Konrad Rudolph
    May 13 at 11:05







  • 15





    I have several Gmail accounts, and one of them gets account signups like this all the time. They're all harmless. It's a short and surprisingly popular name, so I think it's either due to typos or someone confusing their email domains. I once did have someone try repeatedly to reset my Gmail password, but that stopped after I changed the text of my security question to "This is not your account, person from IP abc.def.ghi.jkl".

    – Matthew Read
    May 13 at 15:43












  • 41





    Did you click the links in the email to reset your password? Or did you actually type w w w . n e t f l i x . c o m into a browser with your fingers? That first one is how they getcha...

    – Harper
    May 12 at 23:24






  • 24





    @DmitryGrigoryev IBTD. That other person willingly used the OP's email address and had to expect this as well.

    – glglgl
    May 13 at 9:42






  • 31





    @DmitryGrigoryev Yeah no. What OP did was lock their front door when somebody else was letting themselves in uninvited and using their living room to watch TV.

    – Konrad Rudolph
    May 13 at 9:55







  • 22





    @DmitryGrigoryev I am aware. To stretch my metaphor a bit, what OP did was rifle through the handbag that the intruder left behind in OP’s living room, to look for ID.

    – Konrad Rudolph
    May 13 at 11:05







  • 15





    I have several Gmail accounts, and one of them gets account signups like this all the time. They're all harmless. It's a short and surprisingly popular name, so I think it's either due to typos or someone confusing their email domains. I once did have someone try repeatedly to reset my Gmail password, but that stopped after I changed the text of my security question to "This is not your account, person from IP abc.def.ghi.jkl".

    – Matthew Read
    May 13 at 15:43







41




41





Did you click the links in the email to reset your password? Or did you actually type w w w . n e t f l i x . c o m into a browser with your fingers? That first one is how they getcha...

– Harper
May 12 at 23:24





Did you click the links in the email to reset your password? Or did you actually type w w w . n e t f l i x . c o m into a browser with your fingers? That first one is how they getcha...

– Harper
May 12 at 23:24




24




24





@DmitryGrigoryev IBTD. That other person willingly used the OP's email address and had to expect this as well.

– glglgl
May 13 at 9:42





@DmitryGrigoryev IBTD. That other person willingly used the OP's email address and had to expect this as well.

– glglgl
May 13 at 9:42




31




31





@DmitryGrigoryev Yeah no. What OP did was lock their front door when somebody else was letting themselves in uninvited and using their living room to watch TV.

– Konrad Rudolph
May 13 at 9:55






@DmitryGrigoryev Yeah no. What OP did was lock their front door when somebody else was letting themselves in uninvited and using their living room to watch TV.

– Konrad Rudolph
May 13 at 9:55





22




22





@DmitryGrigoryev I am aware. To stretch my metaphor a bit, what OP did was rifle through the handbag that the intruder left behind in OP’s living room, to look for ID.

– Konrad Rudolph
May 13 at 11:05






@DmitryGrigoryev I am aware. To stretch my metaphor a bit, what OP did was rifle through the handbag that the intruder left behind in OP’s living room, to look for ID.

– Konrad Rudolph
May 13 at 11:05





15




15





I have several Gmail accounts, and one of them gets account signups like this all the time. They're all harmless. It's a short and surprisingly popular name, so I think it's either due to typos or someone confusing their email domains. I once did have someone try repeatedly to reset my Gmail password, but that stopped after I changed the text of my security question to "This is not your account, person from IP abc.def.ghi.jkl".

– Matthew Read
May 13 at 15:43





I have several Gmail accounts, and one of them gets account signups like this all the time. They're all harmless. It's a short and surprisingly popular name, so I think it's either due to typos or someone confusing their email domains. I once did have someone try repeatedly to reset my Gmail password, but that stopped after I changed the text of my security question to "This is not your account, person from IP abc.def.ghi.jkl".

– Matthew Read
May 13 at 15:43










5 Answers
5






active

oldest

votes


















170


















I think it's likely that someone is trying to trick you into paying for Netflix for them. From: https://jameshfisher.com/2018/04/07/the-dots-do-matter-how-to-scam-a-gmail-user/:




More generally, the phishing scam here is:



  1. Hammer the Netflix signup form until you find a gmail.com address which is “already registered”. Let’s say you find the victim jameshfisher.

  2. Create a Netflix account with address james.hfisher.

  3. Sign up for free trial with a throwaway card number.

  4. After Netflix applies the “active card check”, cancel the card.

  5. Wait for Netflix to bill the cancelled card. Then Netflix emails james.hfisher asking for a valid card.

  6. Hope Jim reads the email to james.hfisher, assumes it’s for his Netflix account backed by jameshfisher, then enters his card **** 1234.

  7. Change the email for the Netflix account to eve@gmail.com, kicking Jim’s access to this account.

  8. Use Netflix free forever with Jim’s card **** 1234!



(Note that the above steps don't include any "password reset" step for Jim to access the account; that's because the email from Netflix includes authenticated links that won't ask for it. The attacker wants the victim to click on the email links instead of visiting Netflix manually, this is what enables "Eve" to log back in to the account in step 7. Or, since Netflix emails authenticated links, possibly "Eve" already has one.)



The above situation is partially caused by Netflix (understandably) not recognizing Gmail's "dots don't matter" feature where email sent to foo.bar@example.com and to foobar@example.com end up in the same account. That doesn't really matter in your case (given that if this is how you're trying to be scammed, step 1 was skipped entirely), however.



A bigger problem is that Netflix apparently still allows people to register email addresses to accounts without verification.






share|improve this answer























  • 8





    I could have sworn I once found the "dots don't matter" feature of gmail specified in an RFC, but I can't seem to find it.

    – Wildcard
    May 13 at 7:07






  • 17





    @Gizmo Ignoring a dot in an e-mail address is an awkward security hole, IMHO. But separating the e-mail address from a filter by + is pretty common. In Debian's Postfix default configuration, it reads: recipient_delimiter = +.

    – rexkogitans
    May 13 at 8:01







  • 7





    @CedricReichenbach It is not a security hole for Google, but it is a massive invitation for phishing attacks exactly as shown as in jamesdlin's example: Other sites using e-mail addresses as login.

    – rexkogitans
    May 13 at 9:18







  • 33





    The answer to your puzzlement at step 7 is that in the standard pattern there is no password reset. OP sensibly went directly to the Netflix site to gain access, but the e-mail they received contained links with auth tokens which would have allowed changing the credit card without knowing the password. That's a major fail by Netflix, where they're prioritising convenience of paying them over the customer's security.

    – Peter Taylor
    May 13 at 10:27






  • 32





    @corvus_192 While I don't disagree that Netflix is doing nothing wrong regarding the way it honors dots in email addresses, Netflix is doing something wrong by not verifying ownership of the provided email address

    – jamesdlin
    May 14 at 5:00


















47


















The most probable situation is that someone used an arbitrary Gmail address (yours) in order to sign up for a free trial, or mistakenly tried to change their email to the wrong address (maybe to have a friend/family also get emails).



This would not be a "hack" or even a phishing attempt, just using any available address. This does mean that your Gmail address could not be used for a free trial at Netflix, so there is that negative impact to you.



As a side note, by logging into someone else's account, you have violated many country's "unauthorised access" laws. I would not make a habit of doing this (or telling others on public sites that you have".






share|improve this answer





















  • 67





    If someone registers an account with your information, is it really their account?

    – Nonny Moose
    May 12 at 21:48






  • 7





    @NonnyMoose I would argue the account still belongs to the person who created it. If a package with your name on it is shipped to the wrong address, does the person who lives there have the right to open your package? Also, the account likely has personal information belonging to the account's true creator/owner - name, address, date of birth, etc. The OP also hasn't accepted any terms and conditions or any other prerequisites for creating an account. In this instance, I would email Netflix and explain the situation to them rather than log into the account and snoop around.

    – rshepp
    May 12 at 23:27







  • 8





    This is almost certainly someone abusing Netflix's free trials, not directly attacking OP.

    – Roland Heath
    May 13 at 1:01






  • 6





    @NonnyMoose based on my limited legal knowledge, accounts always belong to people (physical human beings) and never to the different virtual manifestations of people that exist

    – DreamConspiracy
    May 13 at 1:56






  • 5





    This is likely the correct idea. I'm saying that because the same happened to me some 2-3 months ago.Without anything else, I wrote to customer support "I got this e-mail, ref no. blah blah, and I am not a customer of yours". Reply was like: "Oh, well thank you for the notice, we have deactivated the account".

    – Damon
    May 13 at 11:07


















10


















  1. Because of the "dots don't matter" gmail policy, this is not likely to be someone else's bona fide Netfix account, unless a typo has occurred in the name other than dot placement.

  2. Even so, you should not hijack this account, it is not yours. So no changing the email address to another domain.

  3. The scam depends upon you having a Netflix account, and using your gmail address for logon.

  4. They are unlikely to have harvested your gmail account from Netfix, nor one that is "dot agnostically similar" (!), but again, typos.

  5. Just send a good example to Netflix, and create a rule to bucket future emails.

I don't even use my gmail address for Google.






share|improve this answer




























  • I don't see how the "dots don't matter" policy factors into things here.

    – iheanyi
    May 14 at 16:59











  • Because if the dots mattered, gmail would not deliver mail to you with non-matching dots. Netflix sees two addresses. gmail.com sees them as the same address. OP does not have Netflix, so unless it is a speculative attack, the normal gmail address of the OP was not scraped from Netflix after a collision.

    – mckenzm
    May 14 at 23:04






  • 3





    In regards to "Dots don't matter", other addresses without said dots can't exist: "Your Gmail address is unique. If anyone tries to create a Gmail account with a dotted version of your username, they'll get an error saying the username is already taken. For example, if your address is johnsmith@gmail.com, no one can sign up for j.o.h.n.s.m.i.t.h@gmail.com."

    – David M
    May 15 at 1:33







  • 5





    But they can send email to j.o.h.n.s.m.i.t.h@gmail.com, and so can Netflix. It still resolves to johnsmith@gmail.com once it hits the gmail servers.

    – mckenzm
    May 15 at 2:10











  • Sure, but "the dots" were not an issue here. So I cannot see how your answer is relevant to this question. Making true statements about something tangentially related does not an answer make.

    – iheanyi
    May 16 at 2:43


















3


















This is a common occurrence due to e-mail address confusion.



I get dozens to hundreds of e-mails from legitimate companies (car dealers, LA dept of water and power, Macys.com, cell phone activation notes, the payroll company ADP, and Nationwide insurance) from people with my first name and an initial matching my last name.



The companies could solve it AND improve security with a "double-opt-in" step of requiring you to confirm an e-mail address before it's used.



The worst was in early 2019, when I received medical records (Lab results in a .PDF file) - a clear HIPAA violation, since e-mail isn't an authenticated or encrypted communications channel. The "medical records" person, who should know the law, was the sender of the e-mail.



In my case, none of them are nefarious, but represent clueless users or even worse, clueless sales clerks (such as Lenscrafters in Maryland), the Apple store in Manhattan, and others too numerous to mention.



If people want to make up an address - then first.last@example.com - is the best one to use. It is invalid by definition in the Internet RFCs.



In hindsight, I realized that my gmail address is too short, and it should have the same length as a password (about 15 characters).






share|improve this answer




























  • Actually, its not a HIPAA violation if the record belonged to the intended recipient and the intended recipient requested that the information be transmitted in an insecure fashion and they were made to understand the dangers before transmission and still opted to have it sent in that way.

    – Matthew Goheen
    May 15 at 18:02






  • 1





    I've also gotten medical reports (x-rays), but my best example of such a first-initial wrong email was a job offer to work at the Department of Homeland Security.

    – Noah Snyder
    May 15 at 19:13


















2


















There's another possibility that nobody else has identified. Someone created a trial Netflix account with your gmail address in an attempt to see if you already have a Netflix account.



If the UI returns that that email address is already used, then it identifies it as an account to try dictionary based login attempts against.






share|improve this answer



























    Your Answer








    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "162"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/4.0/"u003ecc by-sa 4.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    noCode: true, onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );














    draft saved

    draft discarded
















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f210045%2fwhy-would-someone-open-a-netflix-account-using-my-gmail-address%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown


























    5 Answers
    5






    active

    oldest

    votes








    5 Answers
    5






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    170


















    I think it's likely that someone is trying to trick you into paying for Netflix for them. From: https://jameshfisher.com/2018/04/07/the-dots-do-matter-how-to-scam-a-gmail-user/:




    More generally, the phishing scam here is:



    1. Hammer the Netflix signup form until you find a gmail.com address which is “already registered”. Let’s say you find the victim jameshfisher.

    2. Create a Netflix account with address james.hfisher.

    3. Sign up for free trial with a throwaway card number.

    4. After Netflix applies the “active card check”, cancel the card.

    5. Wait for Netflix to bill the cancelled card. Then Netflix emails james.hfisher asking for a valid card.

    6. Hope Jim reads the email to james.hfisher, assumes it’s for his Netflix account backed by jameshfisher, then enters his card **** 1234.

    7. Change the email for the Netflix account to eve@gmail.com, kicking Jim’s access to this account.

    8. Use Netflix free forever with Jim’s card **** 1234!



    (Note that the above steps don't include any "password reset" step for Jim to access the account; that's because the email from Netflix includes authenticated links that won't ask for it. The attacker wants the victim to click on the email links instead of visiting Netflix manually, this is what enables "Eve" to log back in to the account in step 7. Or, since Netflix emails authenticated links, possibly "Eve" already has one.)



    The above situation is partially caused by Netflix (understandably) not recognizing Gmail's "dots don't matter" feature where email sent to foo.bar@example.com and to foobar@example.com end up in the same account. That doesn't really matter in your case (given that if this is how you're trying to be scammed, step 1 was skipped entirely), however.



    A bigger problem is that Netflix apparently still allows people to register email addresses to accounts without verification.






    share|improve this answer























    • 8





      I could have sworn I once found the "dots don't matter" feature of gmail specified in an RFC, but I can't seem to find it.

      – Wildcard
      May 13 at 7:07






    • 17





      @Gizmo Ignoring a dot in an e-mail address is an awkward security hole, IMHO. But separating the e-mail address from a filter by + is pretty common. In Debian's Postfix default configuration, it reads: recipient_delimiter = +.

      – rexkogitans
      May 13 at 8:01







    • 7





      @CedricReichenbach It is not a security hole for Google, but it is a massive invitation for phishing attacks exactly as shown as in jamesdlin's example: Other sites using e-mail addresses as login.

      – rexkogitans
      May 13 at 9:18







    • 33





      The answer to your puzzlement at step 7 is that in the standard pattern there is no password reset. OP sensibly went directly to the Netflix site to gain access, but the e-mail they received contained links with auth tokens which would have allowed changing the credit card without knowing the password. That's a major fail by Netflix, where they're prioritising convenience of paying them over the customer's security.

      – Peter Taylor
      May 13 at 10:27






    • 32





      @corvus_192 While I don't disagree that Netflix is doing nothing wrong regarding the way it honors dots in email addresses, Netflix is doing something wrong by not verifying ownership of the provided email address

      – jamesdlin
      May 14 at 5:00















    170


















    I think it's likely that someone is trying to trick you into paying for Netflix for them. From: https://jameshfisher.com/2018/04/07/the-dots-do-matter-how-to-scam-a-gmail-user/:




    More generally, the phishing scam here is:



    1. Hammer the Netflix signup form until you find a gmail.com address which is “already registered”. Let’s say you find the victim jameshfisher.

    2. Create a Netflix account with address james.hfisher.

    3. Sign up for free trial with a throwaway card number.

    4. After Netflix applies the “active card check”, cancel the card.

    5. Wait for Netflix to bill the cancelled card. Then Netflix emails james.hfisher asking for a valid card.

    6. Hope Jim reads the email to james.hfisher, assumes it’s for his Netflix account backed by jameshfisher, then enters his card **** 1234.

    7. Change the email for the Netflix account to eve@gmail.com, kicking Jim’s access to this account.

    8. Use Netflix free forever with Jim’s card **** 1234!



    (Note that the above steps don't include any "password reset" step for Jim to access the account; that's because the email from Netflix includes authenticated links that won't ask for it. The attacker wants the victim to click on the email links instead of visiting Netflix manually, this is what enables "Eve" to log back in to the account in step 7. Or, since Netflix emails authenticated links, possibly "Eve" already has one.)



    The above situation is partially caused by Netflix (understandably) not recognizing Gmail's "dots don't matter" feature where email sent to foo.bar@example.com and to foobar@example.com end up in the same account. That doesn't really matter in your case (given that if this is how you're trying to be scammed, step 1 was skipped entirely), however.



    A bigger problem is that Netflix apparently still allows people to register email addresses to accounts without verification.






    share|improve this answer























    • 8





      I could have sworn I once found the "dots don't matter" feature of gmail specified in an RFC, but I can't seem to find it.

      – Wildcard
      May 13 at 7:07






    • 17





      @Gizmo Ignoring a dot in an e-mail address is an awkward security hole, IMHO. But separating the e-mail address from a filter by + is pretty common. In Debian's Postfix default configuration, it reads: recipient_delimiter = +.

      – rexkogitans
      May 13 at 8:01







    • 7





      @CedricReichenbach It is not a security hole for Google, but it is a massive invitation for phishing attacks exactly as shown as in jamesdlin's example: Other sites using e-mail addresses as login.

      – rexkogitans
      May 13 at 9:18







    • 33





      The answer to your puzzlement at step 7 is that in the standard pattern there is no password reset. OP sensibly went directly to the Netflix site to gain access, but the e-mail they received contained links with auth tokens which would have allowed changing the credit card without knowing the password. That's a major fail by Netflix, where they're prioritising convenience of paying them over the customer's security.

      – Peter Taylor
      May 13 at 10:27






    • 32





      @corvus_192 While I don't disagree that Netflix is doing nothing wrong regarding the way it honors dots in email addresses, Netflix is doing something wrong by not verifying ownership of the provided email address

      – jamesdlin
      May 14 at 5:00













    170














    170










    170









    I think it's likely that someone is trying to trick you into paying for Netflix for them. From: https://jameshfisher.com/2018/04/07/the-dots-do-matter-how-to-scam-a-gmail-user/:




    More generally, the phishing scam here is:



    1. Hammer the Netflix signup form until you find a gmail.com address which is “already registered”. Let’s say you find the victim jameshfisher.

    2. Create a Netflix account with address james.hfisher.

    3. Sign up for free trial with a throwaway card number.

    4. After Netflix applies the “active card check”, cancel the card.

    5. Wait for Netflix to bill the cancelled card. Then Netflix emails james.hfisher asking for a valid card.

    6. Hope Jim reads the email to james.hfisher, assumes it’s for his Netflix account backed by jameshfisher, then enters his card **** 1234.

    7. Change the email for the Netflix account to eve@gmail.com, kicking Jim’s access to this account.

    8. Use Netflix free forever with Jim’s card **** 1234!



    (Note that the above steps don't include any "password reset" step for Jim to access the account; that's because the email from Netflix includes authenticated links that won't ask for it. The attacker wants the victim to click on the email links instead of visiting Netflix manually, this is what enables "Eve" to log back in to the account in step 7. Or, since Netflix emails authenticated links, possibly "Eve" already has one.)



    The above situation is partially caused by Netflix (understandably) not recognizing Gmail's "dots don't matter" feature where email sent to foo.bar@example.com and to foobar@example.com end up in the same account. That doesn't really matter in your case (given that if this is how you're trying to be scammed, step 1 was skipped entirely), however.



    A bigger problem is that Netflix apparently still allows people to register email addresses to accounts without verification.






    share|improve this answer
















    I think it's likely that someone is trying to trick you into paying for Netflix for them. From: https://jameshfisher.com/2018/04/07/the-dots-do-matter-how-to-scam-a-gmail-user/:




    More generally, the phishing scam here is:



    1. Hammer the Netflix signup form until you find a gmail.com address which is “already registered”. Let’s say you find the victim jameshfisher.

    2. Create a Netflix account with address james.hfisher.

    3. Sign up for free trial with a throwaway card number.

    4. After Netflix applies the “active card check”, cancel the card.

    5. Wait for Netflix to bill the cancelled card. Then Netflix emails james.hfisher asking for a valid card.

    6. Hope Jim reads the email to james.hfisher, assumes it’s for his Netflix account backed by jameshfisher, then enters his card **** 1234.

    7. Change the email for the Netflix account to eve@gmail.com, kicking Jim’s access to this account.

    8. Use Netflix free forever with Jim’s card **** 1234!



    (Note that the above steps don't include any "password reset" step for Jim to access the account; that's because the email from Netflix includes authenticated links that won't ask for it. The attacker wants the victim to click on the email links instead of visiting Netflix manually, this is what enables "Eve" to log back in to the account in step 7. Or, since Netflix emails authenticated links, possibly "Eve" already has one.)



    The above situation is partially caused by Netflix (understandably) not recognizing Gmail's "dots don't matter" feature where email sent to foo.bar@example.com and to foobar@example.com end up in the same account. That doesn't really matter in your case (given that if this is how you're trying to be scammed, step 1 was skipped entirely), however.



    A bigger problem is that Netflix apparently still allows people to register email addresses to accounts without verification.







    share|improve this answer















    share|improve this answer




    share|improve this answer








    edited May 13 at 22:34

























    answered May 12 at 21:19









    jamesdlinjamesdlin

    1,7041 gold badge9 silver badges11 bronze badges




    1,7041 gold badge9 silver badges11 bronze badges










    • 8





      I could have sworn I once found the "dots don't matter" feature of gmail specified in an RFC, but I can't seem to find it.

      – Wildcard
      May 13 at 7:07






    • 17





      @Gizmo Ignoring a dot in an e-mail address is an awkward security hole, IMHO. But separating the e-mail address from a filter by + is pretty common. In Debian's Postfix default configuration, it reads: recipient_delimiter = +.

      – rexkogitans
      May 13 at 8:01







    • 7





      @CedricReichenbach It is not a security hole for Google, but it is a massive invitation for phishing attacks exactly as shown as in jamesdlin's example: Other sites using e-mail addresses as login.

      – rexkogitans
      May 13 at 9:18







    • 33





      The answer to your puzzlement at step 7 is that in the standard pattern there is no password reset. OP sensibly went directly to the Netflix site to gain access, but the e-mail they received contained links with auth tokens which would have allowed changing the credit card without knowing the password. That's a major fail by Netflix, where they're prioritising convenience of paying them over the customer's security.

      – Peter Taylor
      May 13 at 10:27






    • 32





      @corvus_192 While I don't disagree that Netflix is doing nothing wrong regarding the way it honors dots in email addresses, Netflix is doing something wrong by not verifying ownership of the provided email address

      – jamesdlin
      May 14 at 5:00












    • 8





      I could have sworn I once found the "dots don't matter" feature of gmail specified in an RFC, but I can't seem to find it.

      – Wildcard
      May 13 at 7:07






    • 17





      @Gizmo Ignoring a dot in an e-mail address is an awkward security hole, IMHO. But separating the e-mail address from a filter by + is pretty common. In Debian's Postfix default configuration, it reads: recipient_delimiter = +.

      – rexkogitans
      May 13 at 8:01







    • 7





      @CedricReichenbach It is not a security hole for Google, but it is a massive invitation for phishing attacks exactly as shown as in jamesdlin's example: Other sites using e-mail addresses as login.

      – rexkogitans
      May 13 at 9:18







    • 33





      The answer to your puzzlement at step 7 is that in the standard pattern there is no password reset. OP sensibly went directly to the Netflix site to gain access, but the e-mail they received contained links with auth tokens which would have allowed changing the credit card without knowing the password. That's a major fail by Netflix, where they're prioritising convenience of paying them over the customer's security.

      – Peter Taylor
      May 13 at 10:27






    • 32





      @corvus_192 While I don't disagree that Netflix is doing nothing wrong regarding the way it honors dots in email addresses, Netflix is doing something wrong by not verifying ownership of the provided email address

      – jamesdlin
      May 14 at 5:00







    8




    8





    I could have sworn I once found the "dots don't matter" feature of gmail specified in an RFC, but I can't seem to find it.

    – Wildcard
    May 13 at 7:07





    I could have sworn I once found the "dots don't matter" feature of gmail specified in an RFC, but I can't seem to find it.

    – Wildcard
    May 13 at 7:07




    17




    17





    @Gizmo Ignoring a dot in an e-mail address is an awkward security hole, IMHO. But separating the e-mail address from a filter by + is pretty common. In Debian's Postfix default configuration, it reads: recipient_delimiter = +.

    – rexkogitans
    May 13 at 8:01






    @Gizmo Ignoring a dot in an e-mail address is an awkward security hole, IMHO. But separating the e-mail address from a filter by + is pretty common. In Debian's Postfix default configuration, it reads: recipient_delimiter = +.

    – rexkogitans
    May 13 at 8:01





    7




    7





    @CedricReichenbach It is not a security hole for Google, but it is a massive invitation for phishing attacks exactly as shown as in jamesdlin's example: Other sites using e-mail addresses as login.

    – rexkogitans
    May 13 at 9:18






    @CedricReichenbach It is not a security hole for Google, but it is a massive invitation for phishing attacks exactly as shown as in jamesdlin's example: Other sites using e-mail addresses as login.

    – rexkogitans
    May 13 at 9:18





    33




    33





    The answer to your puzzlement at step 7 is that in the standard pattern there is no password reset. OP sensibly went directly to the Netflix site to gain access, but the e-mail they received contained links with auth tokens which would have allowed changing the credit card without knowing the password. That's a major fail by Netflix, where they're prioritising convenience of paying them over the customer's security.

    – Peter Taylor
    May 13 at 10:27





    The answer to your puzzlement at step 7 is that in the standard pattern there is no password reset. OP sensibly went directly to the Netflix site to gain access, but the e-mail they received contained links with auth tokens which would have allowed changing the credit card without knowing the password. That's a major fail by Netflix, where they're prioritising convenience of paying them over the customer's security.

    – Peter Taylor
    May 13 at 10:27




    32




    32





    @corvus_192 While I don't disagree that Netflix is doing nothing wrong regarding the way it honors dots in email addresses, Netflix is doing something wrong by not verifying ownership of the provided email address

    – jamesdlin
    May 14 at 5:00





    @corvus_192 While I don't disagree that Netflix is doing nothing wrong regarding the way it honors dots in email addresses, Netflix is doing something wrong by not verifying ownership of the provided email address

    – jamesdlin
    May 14 at 5:00













    47


















    The most probable situation is that someone used an arbitrary Gmail address (yours) in order to sign up for a free trial, or mistakenly tried to change their email to the wrong address (maybe to have a friend/family also get emails).



    This would not be a "hack" or even a phishing attempt, just using any available address. This does mean that your Gmail address could not be used for a free trial at Netflix, so there is that negative impact to you.



    As a side note, by logging into someone else's account, you have violated many country's "unauthorised access" laws. I would not make a habit of doing this (or telling others on public sites that you have".






    share|improve this answer





















    • 67





      If someone registers an account with your information, is it really their account?

      – Nonny Moose
      May 12 at 21:48






    • 7





      @NonnyMoose I would argue the account still belongs to the person who created it. If a package with your name on it is shipped to the wrong address, does the person who lives there have the right to open your package? Also, the account likely has personal information belonging to the account's true creator/owner - name, address, date of birth, etc. The OP also hasn't accepted any terms and conditions or any other prerequisites for creating an account. In this instance, I would email Netflix and explain the situation to them rather than log into the account and snoop around.

      – rshepp
      May 12 at 23:27







    • 8





      This is almost certainly someone abusing Netflix's free trials, not directly attacking OP.

      – Roland Heath
      May 13 at 1:01






    • 6





      @NonnyMoose based on my limited legal knowledge, accounts always belong to people (physical human beings) and never to the different virtual manifestations of people that exist

      – DreamConspiracy
      May 13 at 1:56






    • 5





      This is likely the correct idea. I'm saying that because the same happened to me some 2-3 months ago.Without anything else, I wrote to customer support "I got this e-mail, ref no. blah blah, and I am not a customer of yours". Reply was like: "Oh, well thank you for the notice, we have deactivated the account".

      – Damon
      May 13 at 11:07















    47


















    The most probable situation is that someone used an arbitrary Gmail address (yours) in order to sign up for a free trial, or mistakenly tried to change their email to the wrong address (maybe to have a friend/family also get emails).



    This would not be a "hack" or even a phishing attempt, just using any available address. This does mean that your Gmail address could not be used for a free trial at Netflix, so there is that negative impact to you.



    As a side note, by logging into someone else's account, you have violated many country's "unauthorised access" laws. I would not make a habit of doing this (or telling others on public sites that you have".






    share|improve this answer





















    • 67





      If someone registers an account with your information, is it really their account?

      – Nonny Moose
      May 12 at 21:48






    • 7





      @NonnyMoose I would argue the account still belongs to the person who created it. If a package with your name on it is shipped to the wrong address, does the person who lives there have the right to open your package? Also, the account likely has personal information belonging to the account's true creator/owner - name, address, date of birth, etc. The OP also hasn't accepted any terms and conditions or any other prerequisites for creating an account. In this instance, I would email Netflix and explain the situation to them rather than log into the account and snoop around.

      – rshepp
      May 12 at 23:27







    • 8





      This is almost certainly someone abusing Netflix's free trials, not directly attacking OP.

      – Roland Heath
      May 13 at 1:01






    • 6





      @NonnyMoose based on my limited legal knowledge, accounts always belong to people (physical human beings) and never to the different virtual manifestations of people that exist

      – DreamConspiracy
      May 13 at 1:56






    • 5





      This is likely the correct idea. I'm saying that because the same happened to me some 2-3 months ago.Without anything else, I wrote to customer support "I got this e-mail, ref no. blah blah, and I am not a customer of yours". Reply was like: "Oh, well thank you for the notice, we have deactivated the account".

      – Damon
      May 13 at 11:07













    47














    47










    47









    The most probable situation is that someone used an arbitrary Gmail address (yours) in order to sign up for a free trial, or mistakenly tried to change their email to the wrong address (maybe to have a friend/family also get emails).



    This would not be a "hack" or even a phishing attempt, just using any available address. This does mean that your Gmail address could not be used for a free trial at Netflix, so there is that negative impact to you.



    As a side note, by logging into someone else's account, you have violated many country's "unauthorised access" laws. I would not make a habit of doing this (or telling others on public sites that you have".






    share|improve this answer














    The most probable situation is that someone used an arbitrary Gmail address (yours) in order to sign up for a free trial, or mistakenly tried to change their email to the wrong address (maybe to have a friend/family also get emails).



    This would not be a "hack" or even a phishing attempt, just using any available address. This does mean that your Gmail address could not be used for a free trial at Netflix, so there is that negative impact to you.



    As a side note, by logging into someone else's account, you have violated many country's "unauthorised access" laws. I would not make a habit of doing this (or telling others on public sites that you have".







    share|improve this answer













    share|improve this answer




    share|improve this answer










    answered May 12 at 15:14









    schroederschroeder

    87.6k36 gold badges198 silver badges235 bronze badges




    87.6k36 gold badges198 silver badges235 bronze badges










    • 67





      If someone registers an account with your information, is it really their account?

      – Nonny Moose
      May 12 at 21:48






    • 7





      @NonnyMoose I would argue the account still belongs to the person who created it. If a package with your name on it is shipped to the wrong address, does the person who lives there have the right to open your package? Also, the account likely has personal information belonging to the account's true creator/owner - name, address, date of birth, etc. The OP also hasn't accepted any terms and conditions or any other prerequisites for creating an account. In this instance, I would email Netflix and explain the situation to them rather than log into the account and snoop around.

      – rshepp
      May 12 at 23:27







    • 8





      This is almost certainly someone abusing Netflix's free trials, not directly attacking OP.

      – Roland Heath
      May 13 at 1:01






    • 6





      @NonnyMoose based on my limited legal knowledge, accounts always belong to people (physical human beings) and never to the different virtual manifestations of people that exist

      – DreamConspiracy
      May 13 at 1:56






    • 5





      This is likely the correct idea. I'm saying that because the same happened to me some 2-3 months ago.Without anything else, I wrote to customer support "I got this e-mail, ref no. blah blah, and I am not a customer of yours". Reply was like: "Oh, well thank you for the notice, we have deactivated the account".

      – Damon
      May 13 at 11:07












    • 67





      If someone registers an account with your information, is it really their account?

      – Nonny Moose
      May 12 at 21:48






    • 7





      @NonnyMoose I would argue the account still belongs to the person who created it. If a package with your name on it is shipped to the wrong address, does the person who lives there have the right to open your package? Also, the account likely has personal information belonging to the account's true creator/owner - name, address, date of birth, etc. The OP also hasn't accepted any terms and conditions or any other prerequisites for creating an account. In this instance, I would email Netflix and explain the situation to them rather than log into the account and snoop around.

      – rshepp
      May 12 at 23:27







    • 8





      This is almost certainly someone abusing Netflix's free trials, not directly attacking OP.

      – Roland Heath
      May 13 at 1:01






    • 6





      @NonnyMoose based on my limited legal knowledge, accounts always belong to people (physical human beings) and never to the different virtual manifestations of people that exist

      – DreamConspiracy
      May 13 at 1:56






    • 5





      This is likely the correct idea. I'm saying that because the same happened to me some 2-3 months ago.Without anything else, I wrote to customer support "I got this e-mail, ref no. blah blah, and I am not a customer of yours". Reply was like: "Oh, well thank you for the notice, we have deactivated the account".

      – Damon
      May 13 at 11:07







    67




    67





    If someone registers an account with your information, is it really their account?

    – Nonny Moose
    May 12 at 21:48





    If someone registers an account with your information, is it really their account?

    – Nonny Moose
    May 12 at 21:48




    7




    7





    @NonnyMoose I would argue the account still belongs to the person who created it. If a package with your name on it is shipped to the wrong address, does the person who lives there have the right to open your package? Also, the account likely has personal information belonging to the account's true creator/owner - name, address, date of birth, etc. The OP also hasn't accepted any terms and conditions or any other prerequisites for creating an account. In this instance, I would email Netflix and explain the situation to them rather than log into the account and snoop around.

    – rshepp
    May 12 at 23:27






    @NonnyMoose I would argue the account still belongs to the person who created it. If a package with your name on it is shipped to the wrong address, does the person who lives there have the right to open your package? Also, the account likely has personal information belonging to the account's true creator/owner - name, address, date of birth, etc. The OP also hasn't accepted any terms and conditions or any other prerequisites for creating an account. In this instance, I would email Netflix and explain the situation to them rather than log into the account and snoop around.

    – rshepp
    May 12 at 23:27





    8




    8





    This is almost certainly someone abusing Netflix's free trials, not directly attacking OP.

    – Roland Heath
    May 13 at 1:01





    This is almost certainly someone abusing Netflix's free trials, not directly attacking OP.

    – Roland Heath
    May 13 at 1:01




    6




    6





    @NonnyMoose based on my limited legal knowledge, accounts always belong to people (physical human beings) and never to the different virtual manifestations of people that exist

    – DreamConspiracy
    May 13 at 1:56





    @NonnyMoose based on my limited legal knowledge, accounts always belong to people (physical human beings) and never to the different virtual manifestations of people that exist

    – DreamConspiracy
    May 13 at 1:56




    5




    5





    This is likely the correct idea. I'm saying that because the same happened to me some 2-3 months ago.Without anything else, I wrote to customer support "I got this e-mail, ref no. blah blah, and I am not a customer of yours". Reply was like: "Oh, well thank you for the notice, we have deactivated the account".

    – Damon
    May 13 at 11:07





    This is likely the correct idea. I'm saying that because the same happened to me some 2-3 months ago.Without anything else, I wrote to customer support "I got this e-mail, ref no. blah blah, and I am not a customer of yours". Reply was like: "Oh, well thank you for the notice, we have deactivated the account".

    – Damon
    May 13 at 11:07











    10


















    1. Because of the "dots don't matter" gmail policy, this is not likely to be someone else's bona fide Netfix account, unless a typo has occurred in the name other than dot placement.

    2. Even so, you should not hijack this account, it is not yours. So no changing the email address to another domain.

    3. The scam depends upon you having a Netflix account, and using your gmail address for logon.

    4. They are unlikely to have harvested your gmail account from Netfix, nor one that is "dot agnostically similar" (!), but again, typos.

    5. Just send a good example to Netflix, and create a rule to bucket future emails.

    I don't even use my gmail address for Google.






    share|improve this answer




























    • I don't see how the "dots don't matter" policy factors into things here.

      – iheanyi
      May 14 at 16:59











    • Because if the dots mattered, gmail would not deliver mail to you with non-matching dots. Netflix sees two addresses. gmail.com sees them as the same address. OP does not have Netflix, so unless it is a speculative attack, the normal gmail address of the OP was not scraped from Netflix after a collision.

      – mckenzm
      May 14 at 23:04






    • 3





      In regards to "Dots don't matter", other addresses without said dots can't exist: "Your Gmail address is unique. If anyone tries to create a Gmail account with a dotted version of your username, they'll get an error saying the username is already taken. For example, if your address is johnsmith@gmail.com, no one can sign up for j.o.h.n.s.m.i.t.h@gmail.com."

      – David M
      May 15 at 1:33







    • 5





      But they can send email to j.o.h.n.s.m.i.t.h@gmail.com, and so can Netflix. It still resolves to johnsmith@gmail.com once it hits the gmail servers.

      – mckenzm
      May 15 at 2:10











    • Sure, but "the dots" were not an issue here. So I cannot see how your answer is relevant to this question. Making true statements about something tangentially related does not an answer make.

      – iheanyi
      May 16 at 2:43















    10


















    1. Because of the "dots don't matter" gmail policy, this is not likely to be someone else's bona fide Netfix account, unless a typo has occurred in the name other than dot placement.

    2. Even so, you should not hijack this account, it is not yours. So no changing the email address to another domain.

    3. The scam depends upon you having a Netflix account, and using your gmail address for logon.

    4. They are unlikely to have harvested your gmail account from Netfix, nor one that is "dot agnostically similar" (!), but again, typos.

    5. Just send a good example to Netflix, and create a rule to bucket future emails.

    I don't even use my gmail address for Google.






    share|improve this answer




























    • I don't see how the "dots don't matter" policy factors into things here.

      – iheanyi
      May 14 at 16:59











    • Because if the dots mattered, gmail would not deliver mail to you with non-matching dots. Netflix sees two addresses. gmail.com sees them as the same address. OP does not have Netflix, so unless it is a speculative attack, the normal gmail address of the OP was not scraped from Netflix after a collision.

      – mckenzm
      May 14 at 23:04






    • 3





      In regards to "Dots don't matter", other addresses without said dots can't exist: "Your Gmail address is unique. If anyone tries to create a Gmail account with a dotted version of your username, they'll get an error saying the username is already taken. For example, if your address is johnsmith@gmail.com, no one can sign up for j.o.h.n.s.m.i.t.h@gmail.com."

      – David M
      May 15 at 1:33







    • 5





      But they can send email to j.o.h.n.s.m.i.t.h@gmail.com, and so can Netflix. It still resolves to johnsmith@gmail.com once it hits the gmail servers.

      – mckenzm
      May 15 at 2:10











    • Sure, but "the dots" were not an issue here. So I cannot see how your answer is relevant to this question. Making true statements about something tangentially related does not an answer make.

      – iheanyi
      May 16 at 2:43













    10














    10










    10









    1. Because of the "dots don't matter" gmail policy, this is not likely to be someone else's bona fide Netfix account, unless a typo has occurred in the name other than dot placement.

    2. Even so, you should not hijack this account, it is not yours. So no changing the email address to another domain.

    3. The scam depends upon you having a Netflix account, and using your gmail address for logon.

    4. They are unlikely to have harvested your gmail account from Netfix, nor one that is "dot agnostically similar" (!), but again, typos.

    5. Just send a good example to Netflix, and create a rule to bucket future emails.

    I don't even use my gmail address for Google.






    share|improve this answer
















    1. Because of the "dots don't matter" gmail policy, this is not likely to be someone else's bona fide Netfix account, unless a typo has occurred in the name other than dot placement.

    2. Even so, you should not hijack this account, it is not yours. So no changing the email address to another domain.

    3. The scam depends upon you having a Netflix account, and using your gmail address for logon.

    4. They are unlikely to have harvested your gmail account from Netfix, nor one that is "dot agnostically similar" (!), but again, typos.

    5. Just send a good example to Netflix, and create a rule to bucket future emails.

    I don't even use my gmail address for Google.







    share|improve this answer















    share|improve this answer




    share|improve this answer








    edited May 14 at 7:01









    schroeder

    87.6k36 gold badges198 silver badges235 bronze badges




    87.6k36 gold badges198 silver badges235 bronze badges










    answered May 13 at 5:48









    mckenzmmckenzm

    3531 silver badge5 bronze badges




    3531 silver badge5 bronze badges















    • I don't see how the "dots don't matter" policy factors into things here.

      – iheanyi
      May 14 at 16:59











    • Because if the dots mattered, gmail would not deliver mail to you with non-matching dots. Netflix sees two addresses. gmail.com sees them as the same address. OP does not have Netflix, so unless it is a speculative attack, the normal gmail address of the OP was not scraped from Netflix after a collision.

      – mckenzm
      May 14 at 23:04






    • 3





      In regards to "Dots don't matter", other addresses without said dots can't exist: "Your Gmail address is unique. If anyone tries to create a Gmail account with a dotted version of your username, they'll get an error saying the username is already taken. For example, if your address is johnsmith@gmail.com, no one can sign up for j.o.h.n.s.m.i.t.h@gmail.com."

      – David M
      May 15 at 1:33







    • 5





      But they can send email to j.o.h.n.s.m.i.t.h@gmail.com, and so can Netflix. It still resolves to johnsmith@gmail.com once it hits the gmail servers.

      – mckenzm
      May 15 at 2:10











    • Sure, but "the dots" were not an issue here. So I cannot see how your answer is relevant to this question. Making true statements about something tangentially related does not an answer make.

      – iheanyi
      May 16 at 2:43

















    • I don't see how the "dots don't matter" policy factors into things here.

      – iheanyi
      May 14 at 16:59











    • Because if the dots mattered, gmail would not deliver mail to you with non-matching dots. Netflix sees two addresses. gmail.com sees them as the same address. OP does not have Netflix, so unless it is a speculative attack, the normal gmail address of the OP was not scraped from Netflix after a collision.

      – mckenzm
      May 14 at 23:04






    • 3





      In regards to "Dots don't matter", other addresses without said dots can't exist: "Your Gmail address is unique. If anyone tries to create a Gmail account with a dotted version of your username, they'll get an error saying the username is already taken. For example, if your address is johnsmith@gmail.com, no one can sign up for j.o.h.n.s.m.i.t.h@gmail.com."

      – David M
      May 15 at 1:33







    • 5





      But they can send email to j.o.h.n.s.m.i.t.h@gmail.com, and so can Netflix. It still resolves to johnsmith@gmail.com once it hits the gmail servers.

      – mckenzm
      May 15 at 2:10











    • Sure, but "the dots" were not an issue here. So I cannot see how your answer is relevant to this question. Making true statements about something tangentially related does not an answer make.

      – iheanyi
      May 16 at 2:43
















    I don't see how the "dots don't matter" policy factors into things here.

    – iheanyi
    May 14 at 16:59





    I don't see how the "dots don't matter" policy factors into things here.

    – iheanyi
    May 14 at 16:59













    Because if the dots mattered, gmail would not deliver mail to you with non-matching dots. Netflix sees two addresses. gmail.com sees them as the same address. OP does not have Netflix, so unless it is a speculative attack, the normal gmail address of the OP was not scraped from Netflix after a collision.

    – mckenzm
    May 14 at 23:04





    Because if the dots mattered, gmail would not deliver mail to you with non-matching dots. Netflix sees two addresses. gmail.com sees them as the same address. OP does not have Netflix, so unless it is a speculative attack, the normal gmail address of the OP was not scraped from Netflix after a collision.

    – mckenzm
    May 14 at 23:04




    3




    3





    In regards to "Dots don't matter", other addresses without said dots can't exist: "Your Gmail address is unique. If anyone tries to create a Gmail account with a dotted version of your username, they'll get an error saying the username is already taken. For example, if your address is johnsmith@gmail.com, no one can sign up for j.o.h.n.s.m.i.t.h@gmail.com."

    – David M
    May 15 at 1:33






    In regards to "Dots don't matter", other addresses without said dots can't exist: "Your Gmail address is unique. If anyone tries to create a Gmail account with a dotted version of your username, they'll get an error saying the username is already taken. For example, if your address is johnsmith@gmail.com, no one can sign up for j.o.h.n.s.m.i.t.h@gmail.com."

    – David M
    May 15 at 1:33





    5




    5





    But they can send email to j.o.h.n.s.m.i.t.h@gmail.com, and so can Netflix. It still resolves to johnsmith@gmail.com once it hits the gmail servers.

    – mckenzm
    May 15 at 2:10





    But they can send email to j.o.h.n.s.m.i.t.h@gmail.com, and so can Netflix. It still resolves to johnsmith@gmail.com once it hits the gmail servers.

    – mckenzm
    May 15 at 2:10













    Sure, but "the dots" were not an issue here. So I cannot see how your answer is relevant to this question. Making true statements about something tangentially related does not an answer make.

    – iheanyi
    May 16 at 2:43





    Sure, but "the dots" were not an issue here. So I cannot see how your answer is relevant to this question. Making true statements about something tangentially related does not an answer make.

    – iheanyi
    May 16 at 2:43











    3


















    This is a common occurrence due to e-mail address confusion.



    I get dozens to hundreds of e-mails from legitimate companies (car dealers, LA dept of water and power, Macys.com, cell phone activation notes, the payroll company ADP, and Nationwide insurance) from people with my first name and an initial matching my last name.



    The companies could solve it AND improve security with a "double-opt-in" step of requiring you to confirm an e-mail address before it's used.



    The worst was in early 2019, when I received medical records (Lab results in a .PDF file) - a clear HIPAA violation, since e-mail isn't an authenticated or encrypted communications channel. The "medical records" person, who should know the law, was the sender of the e-mail.



    In my case, none of them are nefarious, but represent clueless users or even worse, clueless sales clerks (such as Lenscrafters in Maryland), the Apple store in Manhattan, and others too numerous to mention.



    If people want to make up an address - then first.last@example.com - is the best one to use. It is invalid by definition in the Internet RFCs.



    In hindsight, I realized that my gmail address is too short, and it should have the same length as a password (about 15 characters).






    share|improve this answer




























    • Actually, its not a HIPAA violation if the record belonged to the intended recipient and the intended recipient requested that the information be transmitted in an insecure fashion and they were made to understand the dangers before transmission and still opted to have it sent in that way.

      – Matthew Goheen
      May 15 at 18:02






    • 1





      I've also gotten medical reports (x-rays), but my best example of such a first-initial wrong email was a job offer to work at the Department of Homeland Security.

      – Noah Snyder
      May 15 at 19:13















    3


















    This is a common occurrence due to e-mail address confusion.



    I get dozens to hundreds of e-mails from legitimate companies (car dealers, LA dept of water and power, Macys.com, cell phone activation notes, the payroll company ADP, and Nationwide insurance) from people with my first name and an initial matching my last name.



    The companies could solve it AND improve security with a "double-opt-in" step of requiring you to confirm an e-mail address before it's used.



    The worst was in early 2019, when I received medical records (Lab results in a .PDF file) - a clear HIPAA violation, since e-mail isn't an authenticated or encrypted communications channel. The "medical records" person, who should know the law, was the sender of the e-mail.



    In my case, none of them are nefarious, but represent clueless users or even worse, clueless sales clerks (such as Lenscrafters in Maryland), the Apple store in Manhattan, and others too numerous to mention.



    If people want to make up an address - then first.last@example.com - is the best one to use. It is invalid by definition in the Internet RFCs.



    In hindsight, I realized that my gmail address is too short, and it should have the same length as a password (about 15 characters).






    share|improve this answer




























    • Actually, its not a HIPAA violation if the record belonged to the intended recipient and the intended recipient requested that the information be transmitted in an insecure fashion and they were made to understand the dangers before transmission and still opted to have it sent in that way.

      – Matthew Goheen
      May 15 at 18:02






    • 1





      I've also gotten medical reports (x-rays), but my best example of such a first-initial wrong email was a job offer to work at the Department of Homeland Security.

      – Noah Snyder
      May 15 at 19:13













    3














    3










    3









    This is a common occurrence due to e-mail address confusion.



    I get dozens to hundreds of e-mails from legitimate companies (car dealers, LA dept of water and power, Macys.com, cell phone activation notes, the payroll company ADP, and Nationwide insurance) from people with my first name and an initial matching my last name.



    The companies could solve it AND improve security with a "double-opt-in" step of requiring you to confirm an e-mail address before it's used.



    The worst was in early 2019, when I received medical records (Lab results in a .PDF file) - a clear HIPAA violation, since e-mail isn't an authenticated or encrypted communications channel. The "medical records" person, who should know the law, was the sender of the e-mail.



    In my case, none of them are nefarious, but represent clueless users or even worse, clueless sales clerks (such as Lenscrafters in Maryland), the Apple store in Manhattan, and others too numerous to mention.



    If people want to make up an address - then first.last@example.com - is the best one to use. It is invalid by definition in the Internet RFCs.



    In hindsight, I realized that my gmail address is too short, and it should have the same length as a password (about 15 characters).






    share|improve this answer
















    This is a common occurrence due to e-mail address confusion.



    I get dozens to hundreds of e-mails from legitimate companies (car dealers, LA dept of water and power, Macys.com, cell phone activation notes, the payroll company ADP, and Nationwide insurance) from people with my first name and an initial matching my last name.



    The companies could solve it AND improve security with a "double-opt-in" step of requiring you to confirm an e-mail address before it's used.



    The worst was in early 2019, when I received medical records (Lab results in a .PDF file) - a clear HIPAA violation, since e-mail isn't an authenticated or encrypted communications channel. The "medical records" person, who should know the law, was the sender of the e-mail.



    In my case, none of them are nefarious, but represent clueless users or even worse, clueless sales clerks (such as Lenscrafters in Maryland), the Apple store in Manhattan, and others too numerous to mention.



    If people want to make up an address - then first.last@example.com - is the best one to use. It is invalid by definition in the Internet RFCs.



    In hindsight, I realized that my gmail address is too short, and it should have the same length as a password (about 15 characters).







    share|improve this answer















    share|improve this answer




    share|improve this answer








    edited Sep 27 at 19:56

























    answered May 15 at 17:37









    The ProgrammerThe Programmer

    313 bronze badges




    313 bronze badges















    • Actually, its not a HIPAA violation if the record belonged to the intended recipient and the intended recipient requested that the information be transmitted in an insecure fashion and they were made to understand the dangers before transmission and still opted to have it sent in that way.

      – Matthew Goheen
      May 15 at 18:02






    • 1





      I've also gotten medical reports (x-rays), but my best example of such a first-initial wrong email was a job offer to work at the Department of Homeland Security.

      – Noah Snyder
      May 15 at 19:13

















    • Actually, its not a HIPAA violation if the record belonged to the intended recipient and the intended recipient requested that the information be transmitted in an insecure fashion and they were made to understand the dangers before transmission and still opted to have it sent in that way.

      – Matthew Goheen
      May 15 at 18:02






    • 1





      I've also gotten medical reports (x-rays), but my best example of such a first-initial wrong email was a job offer to work at the Department of Homeland Security.

      – Noah Snyder
      May 15 at 19:13
















    Actually, its not a HIPAA violation if the record belonged to the intended recipient and the intended recipient requested that the information be transmitted in an insecure fashion and they were made to understand the dangers before transmission and still opted to have it sent in that way.

    – Matthew Goheen
    May 15 at 18:02





    Actually, its not a HIPAA violation if the record belonged to the intended recipient and the intended recipient requested that the information be transmitted in an insecure fashion and they were made to understand the dangers before transmission and still opted to have it sent in that way.

    – Matthew Goheen
    May 15 at 18:02




    1




    1





    I've also gotten medical reports (x-rays), but my best example of such a first-initial wrong email was a job offer to work at the Department of Homeland Security.

    – Noah Snyder
    May 15 at 19:13





    I've also gotten medical reports (x-rays), but my best example of such a first-initial wrong email was a job offer to work at the Department of Homeland Security.

    – Noah Snyder
    May 15 at 19:13











    2


















    There's another possibility that nobody else has identified. Someone created a trial Netflix account with your gmail address in an attempt to see if you already have a Netflix account.



    If the UI returns that that email address is already used, then it identifies it as an account to try dictionary based login attempts against.






    share|improve this answer






























      2


















      There's another possibility that nobody else has identified. Someone created a trial Netflix account with your gmail address in an attempt to see if you already have a Netflix account.



      If the UI returns that that email address is already used, then it identifies it as an account to try dictionary based login attempts against.






      share|improve this answer




























        2














        2










        2









        There's another possibility that nobody else has identified. Someone created a trial Netflix account with your gmail address in an attempt to see if you already have a Netflix account.



        If the UI returns that that email address is already used, then it identifies it as an account to try dictionary based login attempts against.






        share|improve this answer














        There's another possibility that nobody else has identified. Someone created a trial Netflix account with your gmail address in an attempt to see if you already have a Netflix account.



        If the UI returns that that email address is already used, then it identifies it as an account to try dictionary based login attempts against.







        share|improve this answer













        share|improve this answer




        share|improve this answer










        answered May 15 at 18:57









        Steve SetherSteve Sether

        18.6k7 gold badges42 silver badges69 bronze badges




        18.6k7 gold badges42 silver badges69 bronze badges































            draft saved

            draft discarded















































            Thanks for contributing an answer to Information Security Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f210045%2fwhy-would-someone-open-a-netflix-account-using-my-gmail-address%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown









            Popular posts from this blog

            Tamil (spriik) Luke uk diar | Nawigatjuun

            Align equal signs while including text over equalitiesAMS align: left aligned text/math plus multicolumn alignmentMultiple alignmentsAligning equations in multiple placesNumbering and aligning an equation with multiple columnsHow to align one equation with another multline equationUsing \ in environments inside the begintabularxNumber equations and preserving alignment of equal signsHow can I align equations to the left and to the right?Double equation alignment problem within align enviromentAligned within align: Why are they right-aligned?

            Training a classifier when some of the features are unknownWhy does Gradient Boosting regression predict negative values when there are no negative y-values in my training set?How to improve an existing (trained) classifier?What is effect when I set up some self defined predisctor variables?Why Matlab neural network classification returns decimal values on prediction dataset?Fitting and transforming text data in training, testing, and validation setsHow to quantify the performance of the classifier (multi-class SVM) using the test data?How do I control for some patients providing multiple samples in my training data?Training and Test setTraining a convolutional neural network for image denoising in MatlabShouldn't an autoencoder with #(neurons in hidden layer) = #(neurons in input layer) be “perfect”?