An Australian man was sentenced to two years in prison for operating a site selling stolen Spotify accounts online.
The 23-year-old man ran at least four different sites dedicated to selling stolen accounts. Netflix, Spotify, Amazon Prime, HBO, Xbox Live, and EA Origin accounts were all available to purchase via his websites. Online streaming services and subscriptions have worked to curb piracy – but account piracy is still alive and thriving.
These so-called ‘account generator’ sites are a way to make media piracy palatable to the public. As TorrentFreak documents, these sites don’t actually generate anything. Instead, they put up stolen credentials from account hacks, phishing, and other blackhat activity online. Music services like Spotify, Deezer, and TIDAL were available on these sites before the FBI shut it down.
The Australian Federal Police launched a cybercrime investigation in 2019 after an FBI referral. The investigation led to the arrest of a Sydney man for operating these so-called account generator websites.
“WickedGen operated for approximately two years selling stolen account details for online subscription services, including Netflix, Spotify, and Hulu,” police told reporters on Saturday.
“The account details were confirmed through a process of credential stuffing, which allows a list of previously stolen or leaked usernames, email addresses, and corresponding passwords to be reused and sold for unauthorized access.”
If you’ve ever seen someone complaining on Spotify about their account being ‘hacked,’ they were probably a victim of credential stuffing. Reusing passwords is the most common way to become a victim to this attack – since it’s like reusing your car key for your house. If an attacker steals your car, they now have access to your house, too.
Australian police say between the four account generator websites, there were 152,863 registered users. Of those users, at least 85,925 subscriptions were illegally obtained to access services like Spotify, Hulu, and Netflix.
“The man was charged with unauthorized access to (or modification of) restricted data, dealing in proceeds of crime etc. – money or property worth AUD$100,000 or more, providing a circumvention service for a technological protection measure, dealing in identification information and false or misleading information,” police said of the case.
Australian police executed a search warrant in March 2019 and found the laptop used to run the operation. In addition, they also seized around AUD$35,000 in cryptocurrency. Police say the man received ‘at least’ $529,798 USD through PayPal by selling illegally obtained subscription data and selling it to others for a couple bucks at a time.