Pirates are selling hundreds of stolen login details for popular over-the-top services on “dark web” marketplaces, according to new research by content-security firm Irdeto.
For the month of April 2018, Irdeto discovered 854 listings of OTT credentials from 69 unique sellers across more than 15 dark web marketplaces. The purloined usernames and passwords on sale were from 42 different streaming services including Netflix, HBO, DirecTV and Hulu.
According to Irdeto, the stolen account info it discovered was available for an average one-time price of $8.81, while some dark-web sellers also offered bundles of credentials for several services at higher prices.
It’s not clear how many of the stolen OTT accounts illegally available for sale represent legitimate, active accounts — or just scams from cybercriminals. Irdeto said it did not buy or test the stolen credentials but discovered other buyers who commented that the accounts they had illegally purchased worked.
On dark web marketplaces, which are cloaked using secret access protocols, a wide range of illicit products, accounts and services are available for purchase, including account credentials for a range of pay-TV services.
Of course, Irdeto has an interest in publicizing and other illicit activities — in order to sell media and entertainment customers on its content security and monitoring solutions and services. The Amsterdam-based company is a subsidiary of media group Naspers.
In the past, execs at streaming-subscription companies have downplayed the problem associated with password-sharing for their services. In fact, Netflix, for example, has made account-sharing among multiple users into a revenue opportunity: In the U.S. the company’s $13.99-per-month Premium plan offers access to up to four simultaneous streams, compared with two for the standard $10.99 monthly tier.
The findings of the sale of OTT login credentials is part of Irdeto’s Global Consumer Piracy Threat Report 2018.
The vendor also found that illegal live-streaming piracy is a global problem, with an average of 74 million global visits per month to the top 10 live-streaming sites in Q1 2018. Most traffic came from the U.S. (2.93 million average monthly visits), the U.K. (1.71 million) and Germany (1,52 million). The company cited a report about a British man who received an £85,000 ($108,500) bill from Sky after a friend illegally streamed a championship boxing match on Facebook Live using his subscription.
In addition, Irdeto found numerous ads for “fully loaded” illegal streaming set-top boxes on ecommerce sites including eBay. The company said that year-to-date in 2018, it has worked to remove nearly 7,000 ads for such illicit set-tops across 60 sites.
“Content theft by pirates has become a full-fledged criminal enterprise, with some providing illegal subscriptions in an attempt to compete with established pay-TV operators,” said Mark Mulready, Irdeto’s VP of cybersecurity services.
In releasing the report’s findings Monday, Irdeto advised consumers to be vigilant of any unusual or unfamiliar activity on their account and recommend changing passwords regularly.