Massive Credential Stuffing Campaign Hits Streaming Services — 2 Million Accounts Compromised

A coordinated credential stuffing campaign has compromised over 2 million accounts across major streaming platforms including Netflix, Disney+, Spotify, and HBO Max using credentials from a database of 890 million username-password combinations compiled from multiple historical data breaches.

The attack, attributed to a threat actor group operating under the moniker "StreamRaiders," used a distributed network of residential proxies to bypass rate limiting and IP-based blocking mechanisms employed by the streaming services.

Compromised accounts are being sold on underground marketplaces for $2-8 per account depending on the subscription tier and number of profiles. Some premium accounts with annual subscriptions are listed for up to $15.

The streaming companies have initiated forced password resets for affected accounts and are implementing additional security measures including enhanced bot detection, mandatory email verification for new device logins, and optional two-factor authentication.

This incident underscores the importance of using unique passwords for every online account. Security experts recommend using a password manager and enabling two-factor authentication wherever available. Users who reuse passwords across multiple services should change their credentials immediately.