Netflix Cookie Error Reveals Private Information

Netflix have leaked sensitive customer data and exposed users accounts to cancellation by malicious individuals

BREAKING NEWS: An update by Netflix over the weekend to their site has revealed sensitive, private information for thousands of user accounts, and allowed strangers complete control over the accounts, including the ability to initiate account cancellation

Netflix Exposes Customer Data

At around 2am on September 3rd, 2012, we noticed that our account was displaying a strange error: netflix streaming error n8107-154-5007 – not an error that is described on the Netflix Support Site, but one that was easy to understand. It said that we were out of minutes for the rest of the month. There was just one problem – we have unlimited streaming. I figured that something had probably got set incorrectly in a cookie somewhere – other computers were able to log in and play movies normally. That’s when the second, much more troubling problem became clear, that being the name on the account was not the name on our account – we were logged in as someone else.

A New Netflix, a New You

Clicking around the site to see how bad the problem was, I was shocked to see I was able to access all the ‘My Account’ pages. I had access to viewing history, for example. Who knew that a pastor could be so into kung fu movies? And what would he think now that I’d used up the last of his monthly viewing with my belated catch-up of Breaking Bad?

Digging deeper, the problem became much more troubling. I had access to the last 4 digits of this fellow’s credit card. I had his full address. I had his name, and his hotmail email account. I doubt it would be too hard to gain access to his email account with just that information. If I had an inclination to do so, and I found it too difficult, I could always send him an email or write. If I felt it was too urgent, there was always the option of a whitepages search for his phone number. Presumably, this also meant that the details on our account were up for grabs. Wonderful.

Appalled? Don’t Worry, I’ll Cancel the Account For You

As well as the access to personal information, I also had access to the account cancellation screen. I didn’t get any indication that there would be a code sent to the email address linked to the account – it looks as though it’s as easy as cancelling the account there and then. If it is, you can bet that some poor sods are going to have their accounts shut down by someone with a little less kindness than me (yes those people exist, thankyouverymuch). The change subscription page reverted to my account, strangely enough, but if that’s the case then people who might think it funny to just change an account are going to be more motivated to shut it down. Yay.

“We Thought They Were Confused”

I called Netflix (using the service code from the account I do not own) to let them know what was going on, and to find out how much they knew so far. As anyone who has worked with cookies knows, it can seem like it is a pain in the behind to run any kind of forced cookie refresh method (though technically it is possible, and actually pretty simple, so I have to wonder why they are not doing this), so instead Netflix are directing people who are “having trouble logging in” to visit which will apparently solve this problem. You know, aside from the fact that they just gave out your info to strangers.

“We made some changes to the website over the weekend,” said the call center phone jockey, “and while we had some problems yesterday the weird stuff didn’t start happening until a short while ago, when people started complaining they were logged into the wrong account. At first, we though they were confused, but as time has gone on we’ve realized this is a real and serious problem.” All the more serious because, as of the time I called, they still had “no idea why this is happening.”

Netflix Troubles Continue

Netflix has been under pressure to adapt and improve during the last few years, with strange business plans from its CEO including spinning off the streaming service under a daft new name (and separate charge), and this latest gaffe is not likely to help improve its image. The total extent of the damage is yet to be seen, but nobody is happy when their personal info is given out to strangers over the Internet. Even harder to deal with in this case is that until Netflix fix this, your info is vulnerable. You can’t change your password to do anything. It may even be that if someone is able to store the information in a cookie for another account, they will be able to access your account at any time in the future – Netflix is giving users’ info out based on only the information stored on external computers, meaning there is nothing you can do for now.. Those of us who are particularly proactive might want to try and change the shipping address for the time being, at least – if anyone has any other suggestions be sure to contact us and we’ll share.

For the meantime, there are going to be a lot of angry people out there, not least one pastor in North Carolina who can’t watch anymore martial arts movies for the time being. I hope that he can forgive me – I doubt the same will be true for Netflix.