Bouygues Telecom customers have reported that they were unknowingly subscribed to Netflix.
According to Bouygues, the connection identifiers used by its customers on other sites have been spoofed on the Internet, and used without their knowledge in order to subscribe to the Netflix option (perhaps for the purpose of reselling them).
Declining responsibility, Bouygues nevertheless agreed to compensate those of its customers concerned, recalling in passing good practices in password management.
To avoid massive authentication attempts, site managers generally limit login attempts from the same browser or IP address.
Knowing this, malicious actors are content to send a few connection requests from the same IP before switching to a new one. Unless it’s a really targeted phishing campaign, when cybercriminals test lists, they don’t manually enter credentials one by one. Rather, they run scripts that make hundreds or thousands of connection attempts almost simultaneously.
These scripts use email addresses and passwords acquired from previous data theft. There are terabytes of data, millions upon millions of emails and passwords, which are part of the entropy dynamics of passwords in the digital age. The password we used hundreds of times in the early 2000s is now coming back to haunt us.
Users must of course improve their practices for managing login credentials and help themselves with password managers, but it is also the responsibility of websites and applications managers to avoid becoming banks for discovering usable authentication information. It is important to prevent a person or IP address from making more than a few connection attempts, both in terms of the total number of connections tried and the speed at which they can be submitted.
The use of tools such as captcha, authentication by magic links, limiting the number of possible attempts, detecting browsers and, in general, thinking about how a login page can be used. abusive can all help to exclude a website from the playing field where the discovery of identifiers usable by cybercriminals.