When you cancel Netflix, you might assume your relationship with the company ends. But the way the company leaves accounts open for reactivation means that hackers can potentially resume your payments without needing your credit card details.
The BBC reports that a number of ex-members have had their accounts reactivated without permission. The victims only noticed the change when their dormant account started billing them again.
Related: How to cancel Netflix
One such victim was Emily Keen who found a bill of £11.99 from Netflix on her account in September after cancelling back in April.
“I tried to log in to my account, but it said my email and password had not been recognised,” she told the BBC’s You & Yours programme. “It turns out the criminals had changed my login details completely and had signed me up for the most expensive service.”
How is this possible? Well, Netflix holds on to customer data for ten months after cancellation so that former members can be quickly reinstated should they have a change of heart. The company does explain this when you cancel, as captured in the screengrab below:
While Netflix says it will delete this data if a request is made by email, few likely do. And that leaves them open for this kind of account hijack if their password gets out – which isn’t wholly unlikely given how often people reuse credentials between sites.
Related: Best Netflix alternatives
Ms Keen isn’t the only person to be hit by this kind of attack, either.
In all likelihood, this kind of attack isn’t for the hacker’s own Netflix bingeing. There’s a steady black market business for stolen Netflix credentials, and targeting cancelled accounts is a relatively easy mark. After all, if you think you’ve cancelled your account, you’re unlikely to try logging in, allowing the hackers to get away with it for longer.