Why would someone open a Netflix account using my Gmail address?Paypal Account created using my gmail accountHow could someone create a Facebook account with my email address without stealing it?Someone keeps using my email address. What to do?Don't understand how my mum's Gmail account was hackedProve ownership of a GMail accountFind the person behind an email address using its recovery email in GmailMail interception fraud
What's that funny "illo" I keep hearing in Southern Spain?
Does obfuscation give any measurable security benefit?
How do I remove 'None' items from the end of a list in Python
What are the branches of statistics?
Drawing a sequence of circles
Does any politician honestly want a No Deal Brexit?
How to find Enhantments or Artifacts that have multiple effects?
How do I count the number of elements in a list which are between two determined values?
If you revoke a certificate authority's certificate, do all of the certificates it issued become invalid as well?
How to deal with people whose priority is to not get blamed?
Why are second inversion triads considered less consonant than first inversion triads?
Is oxygen above the critical point always supercritical fluid? Would it still appear to roughly follow the ideal gas law?
Does Darwin owe a debt to Hegel?
Get injured / Get increased
When was the famous "sudo warning" introduced? Under What Background? By whom?
Advisor asked for my entire slide presentation so she could give the presentation at an international conference
Does immunity to fear prevent a mummy's Dreadful Glare from paralyzing a character?
Idiom for a situation or event that makes one poor or even poorer?
How to extract *.tgz.part-*?
100% positive Glassdoor employee reviews, 100% negative candidate reviews
Code Golf Measurer © 2019
If I did not sign promotion bonus document, my career would be over. Is this duress?
Hebrew Vowels change the word
Does the US require a House vote to begin an impeachment inquiry?
Why would someone open a Netflix account using my Gmail address?
Paypal Account created using my gmail accountHow could someone create a Facebook account with my email address without stealing it?Someone keeps using my email address. What to do?Don't understand how my mum's Gmail account was hackedProve ownership of a GMail accountFind the person behind an email address using its recovery email in GmailMail interception fraud
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty
margin-bottom:0;
This is something that happened to me a few months ago. I don't know if it is a hack attempt, although I can't think of any way that there could be any danger or any personal information gained.
I don't have a Netflix account and never have done. I have a Gmail address which I have never used for public communication. Suddenly I started getting email to this Gmail address from Netflix - not a "Welcome to Netflix" email or one requesting address verification, but what looked like a monthly promo for an existing account. This was addressed to someone with a different real name, with that name not similar in any way to the Gmail name.
After a few of these messages I decided to investigate by going to Netflix and trying to log in with that email address. Using the "forgotten password" option I was able to get a password reset email, change the password and log in. The account appeared to be from Brazil, with some watch history but no other personal details stored and no payment information.
Soon the emails from Netflix started to ask me to update payment information. I didn't, of course, and then they changed to "your account will be suspended" and then "your account has been suspended". The "come back to Netflix" emails are still coming in occasionally.
I don't see how this could possibly be a phishing attempt - I carefully checked that I was on the real Netflix site, used a throwaway password not used on any other sites, and did not enter any of my personal information. I also checked the headers of the emails carefully and they were sent by Netflix. So is this just a mistake on somebody's part, mistyping an email address (although it's surprising that Netflix accepted it with no verification), or something more sinister?
email account-security
edited May 14 at 15:30
Machavity
3,0381 gold badge8 silver badges25 bronze badges
asked May 12 at 15:01
user2760608user2760608
5361 gold badge2 silver badges6 bronze badges
|
show 10 more comments
This is something that happened to me a few months ago. I don't know if it is a hack attempt, although I can't think of any way that there could be any danger or any personal information gained.
I don't have a Netflix account and never have done. I have a Gmail address which I have never used for public communication. Suddenly I started getting email to this Gmail address from Netflix - not a "Welcome to Netflix" email or one requesting address verification, but what looked like a monthly promo for an existing account. This was addressed to someone with a different real name, with that name not similar in any way to the Gmail name.
After a few of these messages I decided to investigate by going to Netflix and trying to log in with that email address. Using the "forgotten password" option I was able to get a password reset email, change the password and log in. The account appeared to be from Brazil, with some watch history but no other personal details stored and no payment information.
Soon the emails from Netflix started to ask me to update payment information. I didn't, of course, and then they changed to "your account will be suspended" and then "your account has been suspended". The "come back to Netflix" emails are still coming in occasionally.
I don't see how this could possibly be a phishing attempt - I carefully checked that I was on the real Netflix site, used a throwaway password not used on any other sites, and did not enter any of my personal information. I also checked the headers of the emails carefully and they were sent by Netflix. So is this just a mistake on somebody's part, mistyping an email address (although it's surprising that Netflix accepted it with no verification), or something more sinister?
email account-security
edited May 14 at 15:30
Machavity
3,0381 gold badge8 silver badges25 bronze badges
asked May 12 at 15:01
user2760608user2760608
5361 gold badge2 silver badges6 bronze badges
41
Did you click the links in the email to reset your password? Or did you actually type w w w . n e t f l i x . c o m into a browser with your fingers? That first one is how they getcha...
– Harper
May 12 at 23:24
24
@DmitryGrigoryev IBTD. That other person willingly used the OP's email address and had to expect this as well.
– glglgl
May 13 at 9:42
31
@DmitryGrigoryev Yeah no. What OP did was lock their front door when somebody else was letting themselves in uninvited and using their living room to watch TV.
– Konrad Rudolph
May 13 at 9:55
22
@DmitryGrigoryev I am aware. To stretch my metaphor a bit, what OP did was rifle through the handbag that the intruder left behind in OP’s living room, to look for ID.
– Konrad Rudolph
May 13 at 11:05
15
I have several Gmail accounts, and one of them gets account signups like this all the time. They're all harmless. It's a short and surprisingly popular name, so I think it's either due to typos or someone confusing their email domains. I once did have someone try repeatedly to reset my Gmail password, but that stopped after I changed the text of my security question to "This is not your account, person from IP abc.def.ghi.jkl".
– Matthew Read
May 13 at 15:43
|
show 10 more comments
This is something that happened to me a few months ago. I don't know if it is a hack attempt, although I can't think of any way that there could be any danger or any personal information gained.
I don't have a Netflix account and never have done. I have a Gmail address which I have never used for public communication. Suddenly I started getting email to this Gmail address from Netflix - not a "Welcome to Netflix" email or one requesting address verification, but what looked like a monthly promo for an existing account. This was addressed to someone with a different real name, with that name not similar in any way to the Gmail name.
After a few of these messages I decided to investigate by going to Netflix and trying to log in with that email address. Using the "forgotten password" option I was able to get a password reset email, change the password and log in. The account appeared to be from Brazil, with some watch history but no other personal details stored and no payment information.
Soon the emails from Netflix started to ask me to update payment information. I didn't, of course, and then they changed to "your account will be suspended" and then "your account has been suspended". The "come back to Netflix" emails are still coming in occasionally.
I don't see how this could possibly be a phishing attempt - I carefully checked that I was on the real Netflix site, used a throwaway password not used on any other sites, and did not enter any of my personal information. I also checked the headers of the emails carefully and they were sent by Netflix. So is this just a mistake on somebody's part, mistyping an email address (although it's surprising that Netflix accepted it with no verification), or something more sinister?
email account-security
edited May 14 at 15:30
Machavity
3,0381 gold badge8 silver badges25 bronze badges
asked May 12 at 15:01
user2760608user2760608
5361 gold badge2 silver badges6 bronze badges
This is something that happened to me a few months ago. I don't know if it is a hack attempt, although I can't think of any way that there could be any danger or any personal information gained.
I don't have a Netflix account and never have done. I have a Gmail address which I have never used for public communication. Suddenly I started getting email to this Gmail address from Netflix - not a "Welcome to Netflix" email or one requesting address verification, but what looked like a monthly promo for an existing account. This was addressed to someone with a different real name, with that name not similar in any way to the Gmail name.
After a few of these messages I decided to investigate by going to Netflix and trying to log in with that email address. Using the "forgotten password" option I was able to get a password reset email, change the password and log in. The account appeared to be from Brazil, with some watch history but no other personal details stored and no payment information.
Soon the emails from Netflix started to ask me to update payment information. I didn't, of course, and then they changed to "your account will be suspended" and then "your account has been suspended". The "come back to Netflix" emails are still coming in occasionally.
I don't see how this could possibly be a phishing attempt - I carefully checked that I was on the real Netflix site, used a throwaway password not used on any other sites, and did not enter any of my personal information. I also checked the headers of the emails carefully and they were sent by Netflix. So is this just a mistake on somebody's part, mistyping an email address (although it's surprising that Netflix accepted it with no verification), or something more sinister?
email account-security
email account-security
edited May 14 at 15:30
Machavity
3,0381 gold badge8 silver badges25 bronze badges
asked May 12 at 15:01
user2760608user2760608
5361 gold badge2 silver badges6 bronze badges
edited May 14 at 15:30
Machavity
3,0381 gold badge8 silver badges25 bronze badges
asked May 12 at 15:01
user2760608user2760608
5361 gold badge2 silver badges6 bronze badges
edited May 14 at 15:30
Machavity
3,0381 gold badge8 silver badges25 bronze badges
edited May 14 at 15:30
Machavity
3,0381 gold badge8 silver badges25 bronze badges
edited May 14 at 15:30
Machavity
3,0381 gold badge8 silver badges25 bronze badges
3,0381 gold badge8 silver badges25 bronze badges
asked May 12 at 15:01
user2760608user2760608
5361 gold badge2 silver badges6 bronze badges
asked May 12 at 15:01
user2760608user2760608
5361 gold badge2 silver badges6 bronze badges
asked May 12 at 15:01
user2760608user2760608
5361 gold badge2 silver badges6 bronze badges
5361 gold badge2 silver badges6 bronze badges
41
Did you click the links in the email to reset your password? Or did you actually type w w w . n e t f l i x . c o m into a browser with your fingers? That first one is how they getcha...
– Harper
May 12 at 23:24
24
@DmitryGrigoryev IBTD. That other person willingly used the OP's email address and had to expect this as well.
– glglgl
May 13 at 9:42
31
@DmitryGrigoryev Yeah no. What OP did was lock their front door when somebody else was letting themselves in uninvited and using their living room to watch TV.
– Konrad Rudolph
May 13 at 9:55
22
@DmitryGrigoryev I am aware. To stretch my metaphor a bit, what OP did was rifle through the handbag that the intruder left behind in OP’s living room, to look for ID.
– Konrad Rudolph
May 13 at 11:05
15
I have several Gmail accounts, and one of them gets account signups like this all the time. They're all harmless. It's a short and surprisingly popular name, so I think it's either due to typos or someone confusing their email domains. I once did have someone try repeatedly to reset my Gmail password, but that stopped after I changed the text of my security question to "This is not your account, person from IP abc.def.ghi.jkl".
– Matthew Read
May 13 at 15:43
|
show 10 more comments
41
Did you click the links in the email to reset your password? Or did you actually type w w w . n e t f l i x . c o m into a browser with your fingers? That first one is how they getcha...
– Harper
May 12 at 23:24
24
@DmitryGrigoryev IBTD. That other person willingly used the OP's email address and had to expect this as well.
– glglgl
May 13 at 9:42
31
@DmitryGrigoryev Yeah no. What OP did was lock their front door when somebody else was letting themselves in uninvited and using their living room to watch TV.
– Konrad Rudolph
May 13 at 9:55
22
@DmitryGrigoryev I am aware. To stretch my metaphor a bit, what OP did was rifle through the handbag that the intruder left behind in OP’s living room, to look for ID.
– Konrad Rudolph
May 13 at 11:05
15
I have several Gmail accounts, and one of them gets account signups like this all the time. They're all harmless. It's a short and surprisingly popular name, so I think it's either due to typos or someone confusing their email domains. I once did have someone try repeatedly to reset my Gmail password, but that stopped after I changed the text of my security question to "This is not your account, person from IP abc.def.ghi.jkl".
– Matthew Read
May 13 at 15:43
41
41
Did you click the links in the email to reset your password? Or did you actually type w w w . n e t f l i x . c o m into a browser with your fingers? That first one is how they getcha...
– Harper
May 12 at 23:24
Did you click the links in the email to reset your password? Or did you actually type w w w . n e t f l i x . c o m into a browser with your fingers? That first one is how they getcha...
– Harper
May 12 at 23:24
24
24
@DmitryGrigoryev IBTD. That other person willingly used the OP's email address and had to expect this as well.
– glglgl
May 13 at 9:42
@DmitryGrigoryev IBTD. That other person willingly used the OP's email address and had to expect this as well.
– glglgl
May 13 at 9:42
31
31
@DmitryGrigoryev Yeah no. What OP did was lock their front door when somebody else was letting themselves in uninvited and using their living room to watch TV.
– Konrad Rudolph
May 13 at 9:55
@DmitryGrigoryev Yeah no. What OP did was lock their front door when somebody else was letting themselves in uninvited and using their living room to watch TV.
– Konrad Rudolph
May 13 at 9:55
22
22
@DmitryGrigoryev I am aware. To stretch my metaphor a bit, what OP did was rifle through the handbag that the intruder left behind in OP’s living room, to look for ID.
– Konrad Rudolph
May 13 at 11:05
@DmitryGrigoryev I am aware. To stretch my metaphor a bit, what OP did was rifle through the handbag that the intruder left behind in OP’s living room, to look for ID.
– Konrad Rudolph
May 13 at 11:05
15
15
I have several Gmail accounts, and one of them gets account signups like this all the time. They're all harmless. It's a short and surprisingly popular name, so I think it's either due to typos or someone confusing their email domains. I once did have someone try repeatedly to reset my Gmail password, but that stopped after I changed the text of my security question to "This is not your account, person from IP abc.def.ghi.jkl".
– Matthew Read
May 13 at 15:43
I have several Gmail accounts, and one of them gets account signups like this all the time. They're all harmless. It's a short and surprisingly popular name, so I think it's either due to typos or someone confusing their email domains. I once did have someone try repeatedly to reset my Gmail password, but that stopped after I changed the text of my security question to "This is not your account, person from IP abc.def.ghi.jkl".
– Matthew Read
May 13 at 15:43
|
show 10 more comments
5 Answers
5
active
oldest
votes
I think it's likely that someone is trying to trick you into paying for Netflix for them. From: https://jameshfisher.com/2018/04/07/the-dots-do-matter-how-to-scam-a-gmail-user/:
More generally, the phishing scam here is:
- Hammer the Netflix signup form until you find a
gmail.comaddress which is “already registered”. Let’s say you find the victimjameshfisher.
- Create a Netflix account with address
james.hfisher.
- Sign up for free trial with a throwaway card number.
- After Netflix applies the “active card check”, cancel the card.
- Wait for Netflix to bill the cancelled card. Then Netflix emails
james.hfisherasking for a valid card.
- Hope Jim reads the email to
james.hfisher, assumes it’s for his Netflix account backed byjameshfisher, then enters his card**** 1234.
- Change the email for the Netflix account to
eve@gmail.com, kicking Jim’s access to this account.
- Use Netflix free forever with Jim’s card
**** 1234!
(Note that the above steps don't include any "password reset" step for Jim to access the account; that's because the email from Netflix includes authenticated links that won't ask for it. The attacker wants the victim to click on the email links instead of visiting Netflix manually, this is what enables "Eve" to log back in to the account in step 7. Or, since Netflix emails authenticated links, possibly "Eve" already has one.)
The above situation is partially caused by Netflix (understandably) not recognizing Gmail's "dots don't matter" feature where email sent to foo.bar@example.com and to foobar@example.com end up in the same account. That doesn't really matter in your case (given that if this is how you're trying to be scammed, step 1 was skipped entirely), however.
A bigger problem is that Netflix apparently still allows people to register email addresses to accounts without verification.
answered May 12 at 21:19
jamesdlinjamesdlin
1,7041 gold badge9 silver badges11 bronze badges
8
I could have sworn I once found the "dots don't matter" feature of gmail specified in an RFC, but I can't seem to find it.
– Wildcard
May 13 at 7:07
17
@Gizmo Ignoring a dot in an e-mail address is an awkward security hole, IMHO. But separating the e-mail address from a filter by+is pretty common. In Debian's Postfix default configuration, it reads:recipient_delimiter = +.
– rexkogitans
May 13 at 8:01
7
@CedricReichenbach It is not a security hole for Google, but it is a massive invitation for phishing attacks exactly as shown as in jamesdlin's example: Other sites using e-mail addresses as login.
– rexkogitans
May 13 at 9:18
33
The answer to your puzzlement at step 7 is that in the standard pattern there is no password reset. OP sensibly went directly to the Netflix site to gain access, but the e-mail they received contained links with auth tokens which would have allowed changing the credit card without knowing the password. That's a major fail by Netflix, where they're prioritising convenience of paying them over the customer's security.
– Peter Taylor
May 13 at 10:27
32
@corvus_192 While I don't disagree that Netflix is doing nothing wrong regarding the way it honors dots in email addresses, Netflix is doing something wrong by not verifying ownership of the provided email address
– jamesdlin
May 14 at 5:00
|
show 15 more comments
The most probable situation is that someone used an arbitrary Gmail address (yours) in order to sign up for a free trial, or mistakenly tried to change their email to the wrong address (maybe to have a friend/family also get emails).
This would not be a "hack" or even a phishing attempt, just using any available address. This does mean that your Gmail address could not be used for a free trial at Netflix, so there is that negative impact to you.
As a side note, by logging into someone else's account, you have violated many country's "unauthorised access" laws. I would not make a habit of doing this (or telling others on public sites that you have".
answered May 12 at 15:14
schroeder♦schroeder
87.6k36 gold badges198 silver badges235 bronze badges
67
If someone registers an account with your information, is it really their account?
– Nonny Moose
May 12 at 21:48
7
@NonnyMoose I would argue the account still belongs to the person who created it. If a package with your name on it is shipped to the wrong address, does the person who lives there have the right to open your package? Also, the account likely has personal information belonging to the account's true creator/owner - name, address, date of birth, etc. The OP also hasn't accepted any terms and conditions or any other prerequisites for creating an account. In this instance, I would email Netflix and explain the situation to them rather than log into the account and snoop around.
– rshepp
May 12 at 23:27
8
This is almost certainly someone abusing Netflix's free trials, not directly attacking OP.
– Roland Heath
May 13 at 1:01
6
@NonnyMoose based on my limited legal knowledge, accounts always belong to people (physical human beings) and never to the different virtual manifestations of people that exist
– DreamConspiracy
May 13 at 1:56
5
This is likely the correct idea. I'm saying that because the same happened to me some 2-3 months ago.Without anything else, I wrote to customer support "I got this e-mail, ref no. blah blah, and I am not a customer of yours". Reply was like: "Oh, well thank you for the notice, we have deactivated the account".
– Damon
May 13 at 11:07
|
show 5 more comments
- Because of the "dots don't matter" gmail policy, this is not likely to be someone else's bona fide Netfix account, unless a typo has occurred in the name other than dot placement.
- Even so, you should not hijack this account, it is not yours. So no changing the email address to another domain.
- The scam depends upon you having a Netflix account, and using your gmail address for logon.
- They are unlikely to have harvested your gmail account from Netfix, nor one that is "dot agnostically similar" (!), but again, typos.
- Just send a good example to Netflix, and create a rule to bucket future emails.
I don't even use my gmail address for Google.
edited May 14 at 7:01
schroeder♦
87.6k36 gold badges198 silver badges235 bronze badges
answered May 13 at 5:48
mckenzmmckenzm
3531 silver badge5 bronze badges
I don't see how the "dots don't matter" policy factors into things here.
– iheanyi
May 14 at 16:59
Because if the dots mattered, gmail would not deliver mail to you with non-matching dots. Netflix sees two addresses. gmail.com sees them as the same address. OP does not have Netflix, so unless it is a speculative attack, the normal gmail address of the OP was not scraped from Netflix after a collision.
– mckenzm
May 14 at 23:04
3
In regards to "Dots don't matter", other addresses without said dots can't exist: "Your Gmail address is unique. If anyone tries to create a Gmail account with a dotted version of your username, they'll get an error saying the username is already taken. For example, if your address is johnsmith@gmail.com, no one can sign up for j.o.h.n.s.m.i.t.h@gmail.com."
– David M
May 15 at 1:33
5
But they can send email to j.o.h.n.s.m.i.t.h@gmail.com, and so can Netflix. It still resolves to johnsmith@gmail.com once it hits the gmail servers.
– mckenzm
May 15 at 2:10
Sure, but "the dots" were not an issue here. So I cannot see how your answer is relevant to this question. Making true statements about something tangentially related does not an answer make.
– iheanyi
May 16 at 2:43
add a comment
|
This is a common occurrence due to e-mail address confusion.
I get dozens to hundreds of e-mails from legitimate companies (car dealers, LA dept of water and power, Macys.com, cell phone activation notes, the payroll company ADP, and Nationwide insurance) from people with my first name and an initial matching my last name.
The companies could solve it AND improve security with a "double-opt-in" step of requiring you to confirm an e-mail address before it's used.
The worst was in early 2019, when I received medical records (Lab results in a .PDF file) - a clear HIPAA violation, since e-mail isn't an authenticated or encrypted communications channel. The "medical records" person, who should know the law, was the sender of the e-mail.
In my case, none of them are nefarious, but represent clueless users or even worse, clueless sales clerks (such as Lenscrafters in Maryland), the Apple store in Manhattan, and others too numerous to mention.
If people want to make up an address - then first.last@example.com - is the best one to use. It is invalid by definition in the Internet RFCs.
In hindsight, I realized that my gmail address is too short, and it should have the same length as a password (about 15 characters).
answered May 15 at 17:37
The ProgrammerThe Programmer
313 bronze badges
Actually, its not a HIPAA violation if the record belonged to the intended recipient and the intended recipient requested that the information be transmitted in an insecure fashion and they were made to understand the dangers before transmission and still opted to have it sent in that way.
– Matthew Goheen
May 15 at 18:02
1
I've also gotten medical reports (x-rays), but my best example of such a first-initial wrong email was a job offer to work at the Department of Homeland Security.
– Noah Snyder
May 15 at 19:13
add a comment
|
There's another possibility that nobody else has identified. Someone created a trial Netflix account with your gmail address in an attempt to see if you already have a Netflix account.
If the UI returns that that email address is already used, then it identifies it as an account to try dictionary based login attempts against.
answered May 15 at 18:57
Steve SetherSteve Sether
18.6k7 gold badges42 silver badges69 bronze badges
add a comment
|
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/4.0/"u003ecc by-sa 4.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f210045%2fwhy-would-someone-open-a-netflix-account-using-my-gmail-address%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
5 Answers
5
active
oldest
votes
5 Answers
5
active
oldest
votes
active
oldest
votes
active
oldest
votes
I think it's likely that someone is trying to trick you into paying for Netflix for them. From: https://jameshfisher.com/2018/04/07/the-dots-do-matter-how-to-scam-a-gmail-user/:
More generally, the phishing scam here is:
- Hammer the Netflix signup form until you find a
gmail.comaddress which is “already registered”. Let’s say you find the victimjameshfisher.
- Create a Netflix account with address
james.hfisher.
- Sign up for free trial with a throwaway card number.
- After Netflix applies the “active card check”, cancel the card.
- Wait for Netflix to bill the cancelled card. Then Netflix emails
james.hfisherasking for a valid card.
- Hope Jim reads the email to
james.hfisher, assumes it’s for his Netflix account backed byjameshfisher, then enters his card**** 1234.
- Change the email for the Netflix account to
eve@gmail.com, kicking Jim’s access to this account.
- Use Netflix free forever with Jim’s card
**** 1234!
(Note that the above steps don't include any "password reset" step for Jim to access the account; that's because the email from Netflix includes authenticated links that won't ask for it. The attacker wants the victim to click on the email links instead of visiting Netflix manually, this is what enables "Eve" to log back in to the account in step 7. Or, since Netflix emails authenticated links, possibly "Eve" already has one.)
The above situation is partially caused by Netflix (understandably) not recognizing Gmail's "dots don't matter" feature where email sent to foo.bar@example.com and to foobar@example.com end up in the same account. That doesn't really matter in your case (given that if this is how you're trying to be scammed, step 1 was skipped entirely), however.
A bigger problem is that Netflix apparently still allows people to register email addresses to accounts without verification.
answered May 12 at 21:19
jamesdlinjamesdlin
1,7041 gold badge9 silver badges11 bronze badges
8
I could have sworn I once found the "dots don't matter" feature of gmail specified in an RFC, but I can't seem to find it.
– Wildcard
May 13 at 7:07
17
@Gizmo Ignoring a dot in an e-mail address is an awkward security hole, IMHO. But separating the e-mail address from a filter by+is pretty common. In Debian's Postfix default configuration, it reads:recipient_delimiter = +.
– rexkogitans
May 13 at 8:01
7
@CedricReichenbach It is not a security hole for Google, but it is a massive invitation for phishing attacks exactly as shown as in jamesdlin's example: Other sites using e-mail addresses as login.
– rexkogitans
May 13 at 9:18
33
The answer to your puzzlement at step 7 is that in the standard pattern there is no password reset. OP sensibly went directly to the Netflix site to gain access, but the e-mail they received contained links with auth tokens which would have allowed changing the credit card without knowing the password. That's a major fail by Netflix, where they're prioritising convenience of paying them over the customer's security.
– Peter Taylor
May 13 at 10:27
32
@corvus_192 While I don't disagree that Netflix is doing nothing wrong regarding the way it honors dots in email addresses, Netflix is doing something wrong by not verifying ownership of the provided email address
– jamesdlin
May 14 at 5:00
|
show 15 more comments
I think it's likely that someone is trying to trick you into paying for Netflix for them. From: https://jameshfisher.com/2018/04/07/the-dots-do-matter-how-to-scam-a-gmail-user/:
More generally, the phishing scam here is:
- Hammer the Netflix signup form until you find a
gmail.comaddress which is “already registered”. Let’s say you find the victimjameshfisher.
- Create a Netflix account with address
james.hfisher.
- Sign up for free trial with a throwaway card number.
- After Netflix applies the “active card check”, cancel the card.
- Wait for Netflix to bill the cancelled card. Then Netflix emails
james.hfisherasking for a valid card.
- Hope Jim reads the email to
james.hfisher, assumes it’s for his Netflix account backed byjameshfisher, then enters his card**** 1234.
- Change the email for the Netflix account to
eve@gmail.com, kicking Jim’s access to this account.
- Use Netflix free forever with Jim’s card
**** 1234!
(Note that the above steps don't include any "password reset" step for Jim to access the account; that's because the email from Netflix includes authenticated links that won't ask for it. The attacker wants the victim to click on the email links instead of visiting Netflix manually, this is what enables "Eve" to log back in to the account in step 7. Or, since Netflix emails authenticated links, possibly "Eve" already has one.)
The above situation is partially caused by Netflix (understandably) not recognizing Gmail's "dots don't matter" feature where email sent to foo.bar@example.com and to foobar@example.com end up in the same account. That doesn't really matter in your case (given that if this is how you're trying to be scammed, step 1 was skipped entirely), however.
A bigger problem is that Netflix apparently still allows people to register email addresses to accounts without verification.
answered May 12 at 21:19
jamesdlinjamesdlin
1,7041 gold badge9 silver badges11 bronze badges
8
I could have sworn I once found the "dots don't matter" feature of gmail specified in an RFC, but I can't seem to find it.
– Wildcard
May 13 at 7:07
17
@Gizmo Ignoring a dot in an e-mail address is an awkward security hole, IMHO. But separating the e-mail address from a filter by+is pretty common. In Debian's Postfix default configuration, it reads:recipient_delimiter = +.
– rexkogitans
May 13 at 8:01
7
@CedricReichenbach It is not a security hole for Google, but it is a massive invitation for phishing attacks exactly as shown as in jamesdlin's example: Other sites using e-mail addresses as login.
– rexkogitans
May 13 at 9:18
33
The answer to your puzzlement at step 7 is that in the standard pattern there is no password reset. OP sensibly went directly to the Netflix site to gain access, but the e-mail they received contained links with auth tokens which would have allowed changing the credit card without knowing the password. That's a major fail by Netflix, where they're prioritising convenience of paying them over the customer's security.
– Peter Taylor
May 13 at 10:27
32
@corvus_192 While I don't disagree that Netflix is doing nothing wrong regarding the way it honors dots in email addresses, Netflix is doing something wrong by not verifying ownership of the provided email address
– jamesdlin
May 14 at 5:00
|
show 15 more comments
I think it's likely that someone is trying to trick you into paying for Netflix for them. From: https://jameshfisher.com/2018/04/07/the-dots-do-matter-how-to-scam-a-gmail-user/:
More generally, the phishing scam here is:
- Hammer the Netflix signup form until you find a
gmail.comaddress which is “already registered”. Let’s say you find the victimjameshfisher.
- Create a Netflix account with address
james.hfisher.
- Sign up for free trial with a throwaway card number.
- After Netflix applies the “active card check”, cancel the card.
- Wait for Netflix to bill the cancelled card. Then Netflix emails
james.hfisherasking for a valid card.
- Hope Jim reads the email to
james.hfisher, assumes it’s for his Netflix account backed byjameshfisher, then enters his card**** 1234.
- Change the email for the Netflix account to
eve@gmail.com, kicking Jim’s access to this account.
- Use Netflix free forever with Jim’s card
**** 1234!
(Note that the above steps don't include any "password reset" step for Jim to access the account; that's because the email from Netflix includes authenticated links that won't ask for it. The attacker wants the victim to click on the email links instead of visiting Netflix manually, this is what enables "Eve" to log back in to the account in step 7. Or, since Netflix emails authenticated links, possibly "Eve" already has one.)
The above situation is partially caused by Netflix (understandably) not recognizing Gmail's "dots don't matter" feature where email sent to foo.bar@example.com and to foobar@example.com end up in the same account. That doesn't really matter in your case (given that if this is how you're trying to be scammed, step 1 was skipped entirely), however.
A bigger problem is that Netflix apparently still allows people to register email addresses to accounts without verification.
answered May 12 at 21:19
jamesdlinjamesdlin
1,7041 gold badge9 silver badges11 bronze badges
I think it's likely that someone is trying to trick you into paying for Netflix for them. From: https://jameshfisher.com/2018/04/07/the-dots-do-matter-how-to-scam-a-gmail-user/:
More generally, the phishing scam here is:
- Hammer the Netflix signup form until you find a
gmail.comaddress which is “already registered”. Let’s say you find the victimjameshfisher.
- Create a Netflix account with address
james.hfisher.
- Sign up for free trial with a throwaway card number.
- After Netflix applies the “active card check”, cancel the card.
- Wait for Netflix to bill the cancelled card. Then Netflix emails
james.hfisherasking for a valid card.
- Hope Jim reads the email to
james.hfisher, assumes it’s for his Netflix account backed byjameshfisher, then enters his card**** 1234.
- Change the email for the Netflix account to
eve@gmail.com, kicking Jim’s access to this account.
- Use Netflix free forever with Jim’s card
**** 1234!
(Note that the above steps don't include any "password reset" step for Jim to access the account; that's because the email from Netflix includes authenticated links that won't ask for it. The attacker wants the victim to click on the email links instead of visiting Netflix manually, this is what enables "Eve" to log back in to the account in step 7. Or, since Netflix emails authenticated links, possibly "Eve" already has one.)
The above situation is partially caused by Netflix (understandably) not recognizing Gmail's "dots don't matter" feature where email sent to foo.bar@example.com and to foobar@example.com end up in the same account. That doesn't really matter in your case (given that if this is how you're trying to be scammed, step 1 was skipped entirely), however.
A bigger problem is that Netflix apparently still allows people to register email addresses to accounts without verification.
answered May 12 at 21:19
jamesdlinjamesdlin
1,7041 gold badge9 silver badges11 bronze badges
edited May 13 at 22:34
answered May 12 at 21:19
jamesdlinjamesdlin
1,7041 gold badge9 silver badges11 bronze badges
answered May 12 at 21:19
jamesdlinjamesdlin
1,7041 gold badge9 silver badges11 bronze badges
answered May 12 at 21:19
jamesdlinjamesdlin
1,7041 gold badge9 silver badges11 bronze badges
1,7041 gold badge9 silver badges11 bronze badges
8
I could have sworn I once found the "dots don't matter" feature of gmail specified in an RFC, but I can't seem to find it.
– Wildcard
May 13 at 7:07
17
@Gizmo Ignoring a dot in an e-mail address is an awkward security hole, IMHO. But separating the e-mail address from a filter by+is pretty common. In Debian's Postfix default configuration, it reads:recipient_delimiter = +.
– rexkogitans
May 13 at 8:01
7
@CedricReichenbach It is not a security hole for Google, but it is a massive invitation for phishing attacks exactly as shown as in jamesdlin's example: Other sites using e-mail addresses as login.
– rexkogitans
May 13 at 9:18
33
The answer to your puzzlement at step 7 is that in the standard pattern there is no password reset. OP sensibly went directly to the Netflix site to gain access, but the e-mail they received contained links with auth tokens which would have allowed changing the credit card without knowing the password. That's a major fail by Netflix, where they're prioritising convenience of paying them over the customer's security.
– Peter Taylor
May 13 at 10:27
32
@corvus_192 While I don't disagree that Netflix is doing nothing wrong regarding the way it honors dots in email addresses, Netflix is doing something wrong by not verifying ownership of the provided email address
– jamesdlin
May 14 at 5:00
|
show 15 more comments
8
I could have sworn I once found the "dots don't matter" feature of gmail specified in an RFC, but I can't seem to find it.
– Wildcard
May 13 at 7:07
17
@Gizmo Ignoring a dot in an e-mail address is an awkward security hole, IMHO. But separating the e-mail address from a filter by+is pretty common. In Debian's Postfix default configuration, it reads:recipient_delimiter = +.
– rexkogitans
May 13 at 8:01
7
@CedricReichenbach It is not a security hole for Google, but it is a massive invitation for phishing attacks exactly as shown as in jamesdlin's example: Other sites using e-mail addresses as login.
– rexkogitans
May 13 at 9:18
33
The answer to your puzzlement at step 7 is that in the standard pattern there is no password reset. OP sensibly went directly to the Netflix site to gain access, but the e-mail they received contained links with auth tokens which would have allowed changing the credit card without knowing the password. That's a major fail by Netflix, where they're prioritising convenience of paying them over the customer's security.
– Peter Taylor
May 13 at 10:27
32
@corvus_192 While I don't disagree that Netflix is doing nothing wrong regarding the way it honors dots in email addresses, Netflix is doing something wrong by not verifying ownership of the provided email address
– jamesdlin
May 14 at 5:00
8
8
I could have sworn I once found the "dots don't matter" feature of gmail specified in an RFC, but I can't seem to find it.
– Wildcard
May 13 at 7:07
I could have sworn I once found the "dots don't matter" feature of gmail specified in an RFC, but I can't seem to find it.
– Wildcard
May 13 at 7:07
17
17
@Gizmo Ignoring a dot in an e-mail address is an awkward security hole, IMHO. But separating the e-mail address from a filter by
+ is pretty common. In Debian's Postfix default configuration, it reads: recipient_delimiter = +.– rexkogitans
May 13 at 8:01
@Gizmo Ignoring a dot in an e-mail address is an awkward security hole, IMHO. But separating the e-mail address from a filter by
+ is pretty common. In Debian's Postfix default configuration, it reads: recipient_delimiter = +.– rexkogitans
May 13 at 8:01
7
7
@CedricReichenbach It is not a security hole for Google, but it is a massive invitation for phishing attacks exactly as shown as in jamesdlin's example: Other sites using e-mail addresses as login.
– rexkogitans
May 13 at 9:18
@CedricReichenbach It is not a security hole for Google, but it is a massive invitation for phishing attacks exactly as shown as in jamesdlin's example: Other sites using e-mail addresses as login.
– rexkogitans
May 13 at 9:18
33
33
The answer to your puzzlement at step 7 is that in the standard pattern there is no password reset. OP sensibly went directly to the Netflix site to gain access, but the e-mail they received contained links with auth tokens which would have allowed changing the credit card without knowing the password. That's a major fail by Netflix, where they're prioritising convenience of paying them over the customer's security.
– Peter Taylor
May 13 at 10:27
The answer to your puzzlement at step 7 is that in the standard pattern there is no password reset. OP sensibly went directly to the Netflix site to gain access, but the e-mail they received contained links with auth tokens which would have allowed changing the credit card without knowing the password. That's a major fail by Netflix, where they're prioritising convenience of paying them over the customer's security.
– Peter Taylor
May 13 at 10:27
32
32
@corvus_192 While I don't disagree that Netflix is doing nothing wrong regarding the way it honors dots in email addresses, Netflix is doing something wrong by not verifying ownership of the provided email address
– jamesdlin
May 14 at 5:00
@corvus_192 While I don't disagree that Netflix is doing nothing wrong regarding the way it honors dots in email addresses, Netflix is doing something wrong by not verifying ownership of the provided email address
– jamesdlin
May 14 at 5:00
|
show 15 more comments
The most probable situation is that someone used an arbitrary Gmail address (yours) in order to sign up for a free trial, or mistakenly tried to change their email to the wrong address (maybe to have a friend/family also get emails).
This would not be a "hack" or even a phishing attempt, just using any available address. This does mean that your Gmail address could not be used for a free trial at Netflix, so there is that negative impact to you.
As a side note, by logging into someone else's account, you have violated many country's "unauthorised access" laws. I would not make a habit of doing this (or telling others on public sites that you have".
answered May 12 at 15:14
schroeder♦schroeder
87.6k36 gold badges198 silver badges235 bronze badges
67
If someone registers an account with your information, is it really their account?
– Nonny Moose
May 12 at 21:48
7
@NonnyMoose I would argue the account still belongs to the person who created it. If a package with your name on it is shipped to the wrong address, does the person who lives there have the right to open your package? Also, the account likely has personal information belonging to the account's true creator/owner - name, address, date of birth, etc. The OP also hasn't accepted any terms and conditions or any other prerequisites for creating an account. In this instance, I would email Netflix and explain the situation to them rather than log into the account and snoop around.
– rshepp
May 12 at 23:27
8
This is almost certainly someone abusing Netflix's free trials, not directly attacking OP.
– Roland Heath
May 13 at 1:01
6
@NonnyMoose based on my limited legal knowledge, accounts always belong to people (physical human beings) and never to the different virtual manifestations of people that exist
– DreamConspiracy
May 13 at 1:56
5
This is likely the correct idea. I'm saying that because the same happened to me some 2-3 months ago.Without anything else, I wrote to customer support "I got this e-mail, ref no. blah blah, and I am not a customer of yours". Reply was like: "Oh, well thank you for the notice, we have deactivated the account".
– Damon
May 13 at 11:07
|
show 5 more comments
The most probable situation is that someone used an arbitrary Gmail address (yours) in order to sign up for a free trial, or mistakenly tried to change their email to the wrong address (maybe to have a friend/family also get emails).
This would not be a "hack" or even a phishing attempt, just using any available address. This does mean that your Gmail address could not be used for a free trial at Netflix, so there is that negative impact to you.
As a side note, by logging into someone else's account, you have violated many country's "unauthorised access" laws. I would not make a habit of doing this (or telling others on public sites that you have".
answered May 12 at 15:14
schroeder♦schroeder
87.6k36 gold badges198 silver badges235 bronze badges
67
If someone registers an account with your information, is it really their account?
– Nonny Moose
May 12 at 21:48
7
@NonnyMoose I would argue the account still belongs to the person who created it. If a package with your name on it is shipped to the wrong address, does the person who lives there have the right to open your package? Also, the account likely has personal information belonging to the account's true creator/owner - name, address, date of birth, etc. The OP also hasn't accepted any terms and conditions or any other prerequisites for creating an account. In this instance, I would email Netflix and explain the situation to them rather than log into the account and snoop around.
– rshepp
May 12 at 23:27
8
This is almost certainly someone abusing Netflix's free trials, not directly attacking OP.
– Roland Heath
May 13 at 1:01
6
@NonnyMoose based on my limited legal knowledge, accounts always belong to people (physical human beings) and never to the different virtual manifestations of people that exist
– DreamConspiracy
May 13 at 1:56
5
This is likely the correct idea. I'm saying that because the same happened to me some 2-3 months ago.Without anything else, I wrote to customer support "I got this e-mail, ref no. blah blah, and I am not a customer of yours". Reply was like: "Oh, well thank you for the notice, we have deactivated the account".
– Damon
May 13 at 11:07
|
show 5 more comments
The most probable situation is that someone used an arbitrary Gmail address (yours) in order to sign up for a free trial, or mistakenly tried to change their email to the wrong address (maybe to have a friend/family also get emails).
This would not be a "hack" or even a phishing attempt, just using any available address. This does mean that your Gmail address could not be used for a free trial at Netflix, so there is that negative impact to you.
As a side note, by logging into someone else's account, you have violated many country's "unauthorised access" laws. I would not make a habit of doing this (or telling others on public sites that you have".
answered May 12 at 15:14
schroeder♦schroeder
87.6k36 gold badges198 silver badges235 bronze badges
The most probable situation is that someone used an arbitrary Gmail address (yours) in order to sign up for a free trial, or mistakenly tried to change their email to the wrong address (maybe to have a friend/family also get emails).
This would not be a "hack" or even a phishing attempt, just using any available address. This does mean that your Gmail address could not be used for a free trial at Netflix, so there is that negative impact to you.
As a side note, by logging into someone else's account, you have violated many country's "unauthorised access" laws. I would not make a habit of doing this (or telling others on public sites that you have".
answered May 12 at 15:14
schroeder♦schroeder
87.6k36 gold badges198 silver badges235 bronze badges
answered May 12 at 15:14
schroeder♦schroeder
87.6k36 gold badges198 silver badges235 bronze badges
answered May 12 at 15:14
schroeder♦schroeder
87.6k36 gold badges198 silver badges235 bronze badges
answered May 12 at 15:14
schroeder♦schroeder
87.6k36 gold badges198 silver badges235 bronze badges
87.6k36 gold badges198 silver badges235 bronze badges
67
If someone registers an account with your information, is it really their account?
– Nonny Moose
May 12 at 21:48
7
@NonnyMoose I would argue the account still belongs to the person who created it. If a package with your name on it is shipped to the wrong address, does the person who lives there have the right to open your package? Also, the account likely has personal information belonging to the account's true creator/owner - name, address, date of birth, etc. The OP also hasn't accepted any terms and conditions or any other prerequisites for creating an account. In this instance, I would email Netflix and explain the situation to them rather than log into the account and snoop around.
– rshepp
May 12 at 23:27
8
This is almost certainly someone abusing Netflix's free trials, not directly attacking OP.
– Roland Heath
May 13 at 1:01
6
@NonnyMoose based on my limited legal knowledge, accounts always belong to people (physical human beings) and never to the different virtual manifestations of people that exist
– DreamConspiracy
May 13 at 1:56
5
This is likely the correct idea. I'm saying that because the same happened to me some 2-3 months ago.Without anything else, I wrote to customer support "I got this e-mail, ref no. blah blah, and I am not a customer of yours". Reply was like: "Oh, well thank you for the notice, we have deactivated the account".
– Damon
May 13 at 11:07
|
show 5 more comments
67
If someone registers an account with your information, is it really their account?
– Nonny Moose
May 12 at 21:48
7
@NonnyMoose I would argue the account still belongs to the person who created it. If a package with your name on it is shipped to the wrong address, does the person who lives there have the right to open your package? Also, the account likely has personal information belonging to the account's true creator/owner - name, address, date of birth, etc. The OP also hasn't accepted any terms and conditions or any other prerequisites for creating an account. In this instance, I would email Netflix and explain the situation to them rather than log into the account and snoop around.
– rshepp
May 12 at 23:27
8
This is almost certainly someone abusing Netflix's free trials, not directly attacking OP.
– Roland Heath
May 13 at 1:01
6
@NonnyMoose based on my limited legal knowledge, accounts always belong to people (physical human beings) and never to the different virtual manifestations of people that exist
– DreamConspiracy
May 13 at 1:56
5
This is likely the correct idea. I'm saying that because the same happened to me some 2-3 months ago.Without anything else, I wrote to customer support "I got this e-mail, ref no. blah blah, and I am not a customer of yours". Reply was like: "Oh, well thank you for the notice, we have deactivated the account".
– Damon
May 13 at 11:07
67
67
If someone registers an account with your information, is it really their account?
– Nonny Moose
May 12 at 21:48
If someone registers an account with your information, is it really their account?
– Nonny Moose
May 12 at 21:48
7
7
@NonnyMoose I would argue the account still belongs to the person who created it. If a package with your name on it is shipped to the wrong address, does the person who lives there have the right to open your package? Also, the account likely has personal information belonging to the account's true creator/owner - name, address, date of birth, etc. The OP also hasn't accepted any terms and conditions or any other prerequisites for creating an account. In this instance, I would email Netflix and explain the situation to them rather than log into the account and snoop around.
– rshepp
May 12 at 23:27
@NonnyMoose I would argue the account still belongs to the person who created it. If a package with your name on it is shipped to the wrong address, does the person who lives there have the right to open your package? Also, the account likely has personal information belonging to the account's true creator/owner - name, address, date of birth, etc. The OP also hasn't accepted any terms and conditions or any other prerequisites for creating an account. In this instance, I would email Netflix and explain the situation to them rather than log into the account and snoop around.
– rshepp
May 12 at 23:27
8
8
This is almost certainly someone abusing Netflix's free trials, not directly attacking OP.
– Roland Heath
May 13 at 1:01
This is almost certainly someone abusing Netflix's free trials, not directly attacking OP.
– Roland Heath
May 13 at 1:01
6
6
@NonnyMoose based on my limited legal knowledge, accounts always belong to people (physical human beings) and never to the different virtual manifestations of people that exist
– DreamConspiracy
May 13 at 1:56
@NonnyMoose based on my limited legal knowledge, accounts always belong to people (physical human beings) and never to the different virtual manifestations of people that exist
– DreamConspiracy
May 13 at 1:56
5
5
This is likely the correct idea. I'm saying that because the same happened to me some 2-3 months ago.Without anything else, I wrote to customer support "I got this e-mail, ref no. blah blah, and I am not a customer of yours". Reply was like: "Oh, well thank you for the notice, we have deactivated the account".
– Damon
May 13 at 11:07
This is likely the correct idea. I'm saying that because the same happened to me some 2-3 months ago.Without anything else, I wrote to customer support "I got this e-mail, ref no. blah blah, and I am not a customer of yours". Reply was like: "Oh, well thank you for the notice, we have deactivated the account".
– Damon
May 13 at 11:07
|
show 5 more comments
- Because of the "dots don't matter" gmail policy, this is not likely to be someone else's bona fide Netfix account, unless a typo has occurred in the name other than dot placement.
- Even so, you should not hijack this account, it is not yours. So no changing the email address to another domain.
- The scam depends upon you having a Netflix account, and using your gmail address for logon.
- They are unlikely to have harvested your gmail account from Netfix, nor one that is "dot agnostically similar" (!), but again, typos.
- Just send a good example to Netflix, and create a rule to bucket future emails.
I don't even use my gmail address for Google.
edited May 14 at 7:01
schroeder♦
87.6k36 gold badges198 silver badges235 bronze badges
answered May 13 at 5:48
mckenzmmckenzm
3531 silver badge5 bronze badges
I don't see how the "dots don't matter" policy factors into things here.
– iheanyi
May 14 at 16:59
Because if the dots mattered, gmail would not deliver mail to you with non-matching dots. Netflix sees two addresses. gmail.com sees them as the same address. OP does not have Netflix, so unless it is a speculative attack, the normal gmail address of the OP was not scraped from Netflix after a collision.
– mckenzm
May 14 at 23:04
3
In regards to "Dots don't matter", other addresses without said dots can't exist: "Your Gmail address is unique. If anyone tries to create a Gmail account with a dotted version of your username, they'll get an error saying the username is already taken. For example, if your address is johnsmith@gmail.com, no one can sign up for j.o.h.n.s.m.i.t.h@gmail.com."
– David M
May 15 at 1:33
5
But they can send email to j.o.h.n.s.m.i.t.h@gmail.com, and so can Netflix. It still resolves to johnsmith@gmail.com once it hits the gmail servers.
– mckenzm
May 15 at 2:10
Sure, but "the dots" were not an issue here. So I cannot see how your answer is relevant to this question. Making true statements about something tangentially related does not an answer make.
– iheanyi
May 16 at 2:43
add a comment
|
- Because of the "dots don't matter" gmail policy, this is not likely to be someone else's bona fide Netfix account, unless a typo has occurred in the name other than dot placement.
- Even so, you should not hijack this account, it is not yours. So no changing the email address to another domain.
- The scam depends upon you having a Netflix account, and using your gmail address for logon.
- They are unlikely to have harvested your gmail account from Netfix, nor one that is "dot agnostically similar" (!), but again, typos.
- Just send a good example to Netflix, and create a rule to bucket future emails.
I don't even use my gmail address for Google.
edited May 14 at 7:01
schroeder♦
87.6k36 gold badges198 silver badges235 bronze badges
answered May 13 at 5:48
mckenzmmckenzm
3531 silver badge5 bronze badges
I don't see how the "dots don't matter" policy factors into things here.
– iheanyi
May 14 at 16:59
Because if the dots mattered, gmail would not deliver mail to you with non-matching dots. Netflix sees two addresses. gmail.com sees them as the same address. OP does not have Netflix, so unless it is a speculative attack, the normal gmail address of the OP was not scraped from Netflix after a collision.
– mckenzm
May 14 at 23:04
3
In regards to "Dots don't matter", other addresses without said dots can't exist: "Your Gmail address is unique. If anyone tries to create a Gmail account with a dotted version of your username, they'll get an error saying the username is already taken. For example, if your address is johnsmith@gmail.com, no one can sign up for j.o.h.n.s.m.i.t.h@gmail.com."
– David M
May 15 at 1:33
5
But they can send email to j.o.h.n.s.m.i.t.h@gmail.com, and so can Netflix. It still resolves to johnsmith@gmail.com once it hits the gmail servers.
– mckenzm
May 15 at 2:10
Sure, but "the dots" were not an issue here. So I cannot see how your answer is relevant to this question. Making true statements about something tangentially related does not an answer make.
– iheanyi
May 16 at 2:43
add a comment
|
- Because of the "dots don't matter" gmail policy, this is not likely to be someone else's bona fide Netfix account, unless a typo has occurred in the name other than dot placement.
- Even so, you should not hijack this account, it is not yours. So no changing the email address to another domain.
- The scam depends upon you having a Netflix account, and using your gmail address for logon.
- They are unlikely to have harvested your gmail account from Netfix, nor one that is "dot agnostically similar" (!), but again, typos.
- Just send a good example to Netflix, and create a rule to bucket future emails.
I don't even use my gmail address for Google.
edited May 14 at 7:01
schroeder♦
87.6k36 gold badges198 silver badges235 bronze badges
answered May 13 at 5:48
mckenzmmckenzm
3531 silver badge5 bronze badges
- Because of the "dots don't matter" gmail policy, this is not likely to be someone else's bona fide Netfix account, unless a typo has occurred in the name other than dot placement.
- Even so, you should not hijack this account, it is not yours. So no changing the email address to another domain.
- The scam depends upon you having a Netflix account, and using your gmail address for logon.
- They are unlikely to have harvested your gmail account from Netfix, nor one that is "dot agnostically similar" (!), but again, typos.
- Just send a good example to Netflix, and create a rule to bucket future emails.
I don't even use my gmail address for Google.
edited May 14 at 7:01
schroeder♦
87.6k36 gold badges198 silver badges235 bronze badges
answered May 13 at 5:48
mckenzmmckenzm
3531 silver badge5 bronze badges
edited May 14 at 7:01
schroeder♦
87.6k36 gold badges198 silver badges235 bronze badges
edited May 14 at 7:01
schroeder♦
87.6k36 gold badges198 silver badges235 bronze badges
edited May 14 at 7:01
schroeder♦
87.6k36 gold badges198 silver badges235 bronze badges
87.6k36 gold badges198 silver badges235 bronze badges
answered May 13 at 5:48
mckenzmmckenzm
3531 silver badge5 bronze badges
answered May 13 at 5:48
mckenzmmckenzm
3531 silver badge5 bronze badges
answered May 13 at 5:48
mckenzmmckenzm
3531 silver badge5 bronze badges
3531 silver badge5 bronze badges
I don't see how the "dots don't matter" policy factors into things here.
– iheanyi
May 14 at 16:59
Because if the dots mattered, gmail would not deliver mail to you with non-matching dots. Netflix sees two addresses. gmail.com sees them as the same address. OP does not have Netflix, so unless it is a speculative attack, the normal gmail address of the OP was not scraped from Netflix after a collision.
– mckenzm
May 14 at 23:04
3
In regards to "Dots don't matter", other addresses without said dots can't exist: "Your Gmail address is unique. If anyone tries to create a Gmail account with a dotted version of your username, they'll get an error saying the username is already taken. For example, if your address is johnsmith@gmail.com, no one can sign up for j.o.h.n.s.m.i.t.h@gmail.com."
– David M
May 15 at 1:33
5
But they can send email to j.o.h.n.s.m.i.t.h@gmail.com, and so can Netflix. It still resolves to johnsmith@gmail.com once it hits the gmail servers.
– mckenzm
May 15 at 2:10
Sure, but "the dots" were not an issue here. So I cannot see how your answer is relevant to this question. Making true statements about something tangentially related does not an answer make.
– iheanyi
May 16 at 2:43
add a comment
|
I don't see how the "dots don't matter" policy factors into things here.
– iheanyi
May 14 at 16:59
Because if the dots mattered, gmail would not deliver mail to you with non-matching dots. Netflix sees two addresses. gmail.com sees them as the same address. OP does not have Netflix, so unless it is a speculative attack, the normal gmail address of the OP was not scraped from Netflix after a collision.
– mckenzm
May 14 at 23:04
3
In regards to "Dots don't matter", other addresses without said dots can't exist: "Your Gmail address is unique. If anyone tries to create a Gmail account with a dotted version of your username, they'll get an error saying the username is already taken. For example, if your address is johnsmith@gmail.com, no one can sign up for j.o.h.n.s.m.i.t.h@gmail.com."
– David M
May 15 at 1:33
5
But they can send email to j.o.h.n.s.m.i.t.h@gmail.com, and so can Netflix. It still resolves to johnsmith@gmail.com once it hits the gmail servers.
– mckenzm
May 15 at 2:10
Sure, but "the dots" were not an issue here. So I cannot see how your answer is relevant to this question. Making true statements about something tangentially related does not an answer make.
– iheanyi
May 16 at 2:43
I don't see how the "dots don't matter" policy factors into things here.
– iheanyi
May 14 at 16:59
I don't see how the "dots don't matter" policy factors into things here.
– iheanyi
May 14 at 16:59
Because if the dots mattered, gmail would not deliver mail to you with non-matching dots. Netflix sees two addresses. gmail.com sees them as the same address. OP does not have Netflix, so unless it is a speculative attack, the normal gmail address of the OP was not scraped from Netflix after a collision.
– mckenzm
May 14 at 23:04
Because if the dots mattered, gmail would not deliver mail to you with non-matching dots. Netflix sees two addresses. gmail.com sees them as the same address. OP does not have Netflix, so unless it is a speculative attack, the normal gmail address of the OP was not scraped from Netflix after a collision.
– mckenzm
May 14 at 23:04
3
3
In regards to "Dots don't matter", other addresses without said dots can't exist: "Your Gmail address is unique. If anyone tries to create a Gmail account with a dotted version of your username, they'll get an error saying the username is already taken. For example, if your address is johnsmith@gmail.com, no one can sign up for j.o.h.n.s.m.i.t.h@gmail.com."
– David M
May 15 at 1:33
In regards to "Dots don't matter", other addresses without said dots can't exist: "Your Gmail address is unique. If anyone tries to create a Gmail account with a dotted version of your username, they'll get an error saying the username is already taken. For example, if your address is johnsmith@gmail.com, no one can sign up for j.o.h.n.s.m.i.t.h@gmail.com."
– David M
May 15 at 1:33
5
5
But they can send email to j.o.h.n.s.m.i.t.h@gmail.com, and so can Netflix. It still resolves to johnsmith@gmail.com once it hits the gmail servers.
– mckenzm
May 15 at 2:10
But they can send email to j.o.h.n.s.m.i.t.h@gmail.com, and so can Netflix. It still resolves to johnsmith@gmail.com once it hits the gmail servers.
– mckenzm
May 15 at 2:10
Sure, but "the dots" were not an issue here. So I cannot see how your answer is relevant to this question. Making true statements about something tangentially related does not an answer make.
– iheanyi
May 16 at 2:43
Sure, but "the dots" were not an issue here. So I cannot see how your answer is relevant to this question. Making true statements about something tangentially related does not an answer make.
– iheanyi
May 16 at 2:43
add a comment
|
This is a common occurrence due to e-mail address confusion.
I get dozens to hundreds of e-mails from legitimate companies (car dealers, LA dept of water and power, Macys.com, cell phone activation notes, the payroll company ADP, and Nationwide insurance) from people with my first name and an initial matching my last name.
The companies could solve it AND improve security with a "double-opt-in" step of requiring you to confirm an e-mail address before it's used.
The worst was in early 2019, when I received medical records (Lab results in a .PDF file) - a clear HIPAA violation, since e-mail isn't an authenticated or encrypted communications channel. The "medical records" person, who should know the law, was the sender of the e-mail.
In my case, none of them are nefarious, but represent clueless users or even worse, clueless sales clerks (such as Lenscrafters in Maryland), the Apple store in Manhattan, and others too numerous to mention.
If people want to make up an address - then first.last@example.com - is the best one to use. It is invalid by definition in the Internet RFCs.
In hindsight, I realized that my gmail address is too short, and it should have the same length as a password (about 15 characters).
answered May 15 at 17:37
The ProgrammerThe Programmer
313 bronze badges
Actually, its not a HIPAA violation if the record belonged to the intended recipient and the intended recipient requested that the information be transmitted in an insecure fashion and they were made to understand the dangers before transmission and still opted to have it sent in that way.
– Matthew Goheen
May 15 at 18:02
1
I've also gotten medical reports (x-rays), but my best example of such a first-initial wrong email was a job offer to work at the Department of Homeland Security.
– Noah Snyder
May 15 at 19:13
add a comment
|
This is a common occurrence due to e-mail address confusion.
I get dozens to hundreds of e-mails from legitimate companies (car dealers, LA dept of water and power, Macys.com, cell phone activation notes, the payroll company ADP, and Nationwide insurance) from people with my first name and an initial matching my last name.
The companies could solve it AND improve security with a "double-opt-in" step of requiring you to confirm an e-mail address before it's used.
The worst was in early 2019, when I received medical records (Lab results in a .PDF file) - a clear HIPAA violation, since e-mail isn't an authenticated or encrypted communications channel. The "medical records" person, who should know the law, was the sender of the e-mail.
In my case, none of them are nefarious, but represent clueless users or even worse, clueless sales clerks (such as Lenscrafters in Maryland), the Apple store in Manhattan, and others too numerous to mention.
If people want to make up an address - then first.last@example.com - is the best one to use. It is invalid by definition in the Internet RFCs.
In hindsight, I realized that my gmail address is too short, and it should have the same length as a password (about 15 characters).
answered May 15 at 17:37
The ProgrammerThe Programmer
313 bronze badges
Actually, its not a HIPAA violation if the record belonged to the intended recipient and the intended recipient requested that the information be transmitted in an insecure fashion and they were made to understand the dangers before transmission and still opted to have it sent in that way.
– Matthew Goheen
May 15 at 18:02
1
I've also gotten medical reports (x-rays), but my best example of such a first-initial wrong email was a job offer to work at the Department of Homeland Security.
– Noah Snyder
May 15 at 19:13
add a comment
|
This is a common occurrence due to e-mail address confusion.
I get dozens to hundreds of e-mails from legitimate companies (car dealers, LA dept of water and power, Macys.com, cell phone activation notes, the payroll company ADP, and Nationwide insurance) from people with my first name and an initial matching my last name.
The companies could solve it AND improve security with a "double-opt-in" step of requiring you to confirm an e-mail address before it's used.
The worst was in early 2019, when I received medical records (Lab results in a .PDF file) - a clear HIPAA violation, since e-mail isn't an authenticated or encrypted communications channel. The "medical records" person, who should know the law, was the sender of the e-mail.
In my case, none of them are nefarious, but represent clueless users or even worse, clueless sales clerks (such as Lenscrafters in Maryland), the Apple store in Manhattan, and others too numerous to mention.
If people want to make up an address - then first.last@example.com - is the best one to use. It is invalid by definition in the Internet RFCs.
In hindsight, I realized that my gmail address is too short, and it should have the same length as a password (about 15 characters).
answered May 15 at 17:37
The ProgrammerThe Programmer
313 bronze badges
This is a common occurrence due to e-mail address confusion.
I get dozens to hundreds of e-mails from legitimate companies (car dealers, LA dept of water and power, Macys.com, cell phone activation notes, the payroll company ADP, and Nationwide insurance) from people with my first name and an initial matching my last name.
The companies could solve it AND improve security with a "double-opt-in" step of requiring you to confirm an e-mail address before it's used.
The worst was in early 2019, when I received medical records (Lab results in a .PDF file) - a clear HIPAA violation, since e-mail isn't an authenticated or encrypted communications channel. The "medical records" person, who should know the law, was the sender of the e-mail.
In my case, none of them are nefarious, but represent clueless users or even worse, clueless sales clerks (such as Lenscrafters in Maryland), the Apple store in Manhattan, and others too numerous to mention.
If people want to make up an address - then first.last@example.com - is the best one to use. It is invalid by definition in the Internet RFCs.
In hindsight, I realized that my gmail address is too short, and it should have the same length as a password (about 15 characters).
answered May 15 at 17:37
The ProgrammerThe Programmer
313 bronze badges
edited Sep 27 at 19:56
answered May 15 at 17:37
The ProgrammerThe Programmer
313 bronze badges
answered May 15 at 17:37
The ProgrammerThe Programmer
313 bronze badges
answered May 15 at 17:37
The ProgrammerThe Programmer
313 bronze badges
313 bronze badges
Actually, its not a HIPAA violation if the record belonged to the intended recipient and the intended recipient requested that the information be transmitted in an insecure fashion and they were made to understand the dangers before transmission and still opted to have it sent in that way.
– Matthew Goheen
May 15 at 18:02
1
I've also gotten medical reports (x-rays), but my best example of such a first-initial wrong email was a job offer to work at the Department of Homeland Security.
– Noah Snyder
May 15 at 19:13
add a comment
|
Actually, its not a HIPAA violation if the record belonged to the intended recipient and the intended recipient requested that the information be transmitted in an insecure fashion and they were made to understand the dangers before transmission and still opted to have it sent in that way.
– Matthew Goheen
May 15 at 18:02
1
I've also gotten medical reports (x-rays), but my best example of such a first-initial wrong email was a job offer to work at the Department of Homeland Security.
– Noah Snyder
May 15 at 19:13
Actually, its not a HIPAA violation if the record belonged to the intended recipient and the intended recipient requested that the information be transmitted in an insecure fashion and they were made to understand the dangers before transmission and still opted to have it sent in that way.
– Matthew Goheen
May 15 at 18:02
Actually, its not a HIPAA violation if the record belonged to the intended recipient and the intended recipient requested that the information be transmitted in an insecure fashion and they were made to understand the dangers before transmission and still opted to have it sent in that way.
– Matthew Goheen
May 15 at 18:02
1
1
I've also gotten medical reports (x-rays), but my best example of such a first-initial wrong email was a job offer to work at the Department of Homeland Security.
– Noah Snyder
May 15 at 19:13
I've also gotten medical reports (x-rays), but my best example of such a first-initial wrong email was a job offer to work at the Department of Homeland Security.
– Noah Snyder
May 15 at 19:13
add a comment
|
There's another possibility that nobody else has identified. Someone created a trial Netflix account with your gmail address in an attempt to see if you already have a Netflix account.
If the UI returns that that email address is already used, then it identifies it as an account to try dictionary based login attempts against.
answered May 15 at 18:57
Steve SetherSteve Sether
18.6k7 gold badges42 silver badges69 bronze badges
add a comment
|
There's another possibility that nobody else has identified. Someone created a trial Netflix account with your gmail address in an attempt to see if you already have a Netflix account.
If the UI returns that that email address is already used, then it identifies it as an account to try dictionary based login attempts against.
answered May 15 at 18:57
Steve SetherSteve Sether
18.6k7 gold badges42 silver badges69 bronze badges
add a comment
|
There's another possibility that nobody else has identified. Someone created a trial Netflix account with your gmail address in an attempt to see if you already have a Netflix account.
If the UI returns that that email address is already used, then it identifies it as an account to try dictionary based login attempts against.
answered May 15 at 18:57
Steve SetherSteve Sether
18.6k7 gold badges42 silver badges69 bronze badges
There's another possibility that nobody else has identified. Someone created a trial Netflix account with your gmail address in an attempt to see if you already have a Netflix account.
If the UI returns that that email address is already used, then it identifies it as an account to try dictionary based login attempts against.
answered May 15 at 18:57
Steve SetherSteve Sether
18.6k7 gold badges42 silver badges69 bronze badges
answered May 15 at 18:57
Steve SetherSteve Sether
18.6k7 gold badges42 silver badges69 bronze badges
answered May 15 at 18:57
Steve SetherSteve Sether
18.6k7 gold badges42 silver badges69 bronze badges
answered May 15 at 18:57
Steve SetherSteve Sether
18.6k7 gold badges42 silver badges69 bronze badges
18.6k7 gold badges42 silver badges69 bronze badges
add a comment
|
add a comment
|
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f210045%2fwhy-would-someone-open-a-netflix-account-using-my-gmail-address%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
41
Did you click the links in the email to reset your password? Or did you actually type w w w . n e t f l i x . c o m into a browser with your fingers? That first one is how they getcha...
– Harper
May 12 at 23:24
24
@DmitryGrigoryev IBTD. That other person willingly used the OP's email address and had to expect this as well.
– glglgl
May 13 at 9:42
31
@DmitryGrigoryev Yeah no. What OP did was lock their front door when somebody else was letting themselves in uninvited and using their living room to watch TV.
– Konrad Rudolph
May 13 at 9:55
22
@DmitryGrigoryev I am aware. To stretch my metaphor a bit, what OP did was rifle through the handbag that the intruder left behind in OP’s living room, to look for ID.
– Konrad Rudolph
May 13 at 11:05
15
I have several Gmail accounts, and one of them gets account signups like this all the time. They're all harmless. It's a short and surprisingly popular name, so I think it's either due to typos or someone confusing their email domains. I once did have someone try repeatedly to reset my Gmail password, but that stopped after I changed the text of my security question to "This is not your account, person from IP abc.def.ghi.jkl".
– Matthew Read
May 13 at 15:43