You may have learned that you should protect your accounts according to how valuable they are. While your email account and bank account should always use two-factor authentication, maybe you think that your streaming services are not that important to protect.
Some people have even been sharing their streaming account passwords with friends and families to share access - and maybe the cost, even though this may be a violation of the subscription terms.
How scammers make money
The high prevalence of low security on streaming accounts, has unfortunately also been turned into a viable business model for cybercriminals.
Scammers will first collect usernames and passwords to streaming accounts in high volumes.
Then, the scammers will bundle together access to these accounts through something they call an "account generator". The account generator is in itself a subscription service, but available at much lower prices than the accounts they provide (stolen) access to.
With an account generator subscription, "customers" can typically access dozens of popular online services, including Netflix, Spotify, Disney Plus, and more.
In turn, the cybercriminals make money out of the stolen accounts, by selling these subscriptions - just like any other.
As you can see from the screenshot, you can "generate" access to 25 accounts per day for $12 per month, or $28 per year for 45 accounts per day.
If you consider that this includes access to a selection of dozens of streaming services, that sounds like a pretty cheap deal, right?
Except ... it is criminal, and "customers" are simply funding the continued "business" for scammers to acquire new victims.
From the example service, they claim to have "generated" access to 1,5 million accounts. So basically, more than a million people have been compromised, for the scammers to make some hundred thousand dollars themselves.
So, how do the scammers steal these accounts?
There are basically two main approaches:
Phishing emails (and possibly SMS): Where targets receive notification from a given streaming service that e.g. their credit card has expired, for instance something like this:
People who click the link are then presented with a false login form. When entering their username and password, users will now have sent their login information to the scammers and their "account generator".
Weak or leaked passwords: If your streaming service password is easy to guess or already leaked, it may be easily picked up by these account "generators". Check out HaveIBeenPwned to see if any of your accounts may have been in danger.
In both cases, using two-factor authentication may help securing your own account from scammers (and their customers). Using a strong and unique password would also help in the last case.
That is, if you don't share that password with anyone else, either.