Even if you’re okay with sharing your Netflix password with your best friend, girlfriend and every roommate you’ve ever had, you probably draw the line at total strangers. That won’t stop hackers.
Cybercriminals are getting wise to a password-cracking software called OpenBullet, which allows them to check the validity of tons of potential login credentials at a time. And, oddly enough, they’re more interested in hacking into streaming service accounts, like Netflix, than e-commerce and financial services accounts, according to a recent report from cybersecurity firm Cybersixgill.
OpenBullet is an open-source tool, meaning anyone from experienced cybercriminals to hacking noobs can download and use it. The tool, which allows them to cycle through thousands of username and password combinations for a specific website until they get a successful hit, has been gaining popularity since its official release in 2019. Since then, Cybersixgill says, OpenBullet has been mentioned 177,000 times in the corners of the dark web where these hackers tend to hang out.
Why do they want our Netflix, Hulu and Disney+ passwords so badly?
Streaming services are accounts that a lot of people have, and typically aren’t very secure, says Michael-Angelo Zummo, threat intel specialist at Cybersixgill. (Think about how easy it is to mooch off your friends’ and family members’ accounts, and vice versa). Small-time hackers may just be looking for a free Netflix account, but others want to snag your payment details so they can use them on more sensitive accounts, like your banking website.
“It’s a very accessible tool that can result in a lot of damage,” Zummo says.
Bad actors also want as much personal and behavioral information about you as they can get their hands on, says Richard Bird, Chief Customer Information Officer at the cybersecurity firm Ping Identity. Your movie and television preferences might seem harmless, but to a hacker who specializes in social engineering, the two hours a day you spend binging Bridgerton is extremely useful data. That kind of information can help them build a more believable digital “you” that can help them impersonate you online, and provide a wealth of information to help guess other passwords you’ve created across the internet, Bird says. (Netflix and Hulu didn’t respond to Money’s request for comment, and Disney+ pointed Money to its page on how to keep accounts secure.)
The takeaway? Use complex passwords.
“If your password is in the dictionary, someone is going to figure it out,” Zummo says. Web browsers will often have the option to set up nonsense passwords for you — Firefox will give you the option automatically, while Chrome requires you to sync your passwords — so you won’t be tempted to use your go-tos.
If you’d rather come up with your own passwords, try turning each one into a unique, long sentence that is easy to remember but can’t be “guessed” by an OpenBullet bot.
“Length is strength,” Bird says.
When possible, use multi-factor authentication and — as tempting as it may be — don’t repeat passwords. Using a password manager can help: apps like LastPass, Dashlane and Keeper offer free options, as well as tiered plans where you can pay for additional features.
Finally, try to keep your personal information truly personal. Don’t post your birthday, email address or phone number online — and definitely keep photos of your COVID-19 vaccination card or stimulus check deposits off social media.)
More from Money: