so its IPL(cricket) season in india, there is a OTT service called hotstar (its like netflix of india), the cricket streams exclusively on hotstar..
so a quick google search reveals literally thousands of emails & passwords, found a pastebin containing 500 emails&passwords ...but those are leaked last year most of passwords are changed & many of them enabled 2FA.. after looking through them we can find some passwords are similar to their emails , some contains birth year like 1975,1997 etc, some passwords end with 123 ..so after trying a few different versions of the passwords like
1) password123 -> password@123, password1234
2) passwordyear -> password@year
2) for passwords similar to emails, we can add 123 ,1234, @ etc
created a quick python script for sending login requests

so after like 30-40 mins of work, i have 7 working accounts

*for those who have basic idea of security practices you can skip this part

lessons learnt
1) enable 2FA
2) use strong passwords, if you change your password , new password should be very different from the old one

there are several thousands of leaked plaintext passwords for services like netflix,spotify, hulu etc, are easily available using simple google search,
after looking through & analysing thousands of them you can find many common passwords , common patterns
they may not be as obvious as password ,password123 but they are easily guessable.
mainly this is because these type of entertainment services are used by the average joe, they dont care about strong passwords, 2FA etc

  • 2
    There are Telegram channels where hacked accounts for various services come regularly, These are mostly old people who don't have knowledge about tech and there kids set up accounts for them. If you use those accounts without changing Password, it's good for everyone.
  • 3
    yeah, not only telegram channels we have hundred others like discord channels, sub reddits, facebook groups, whatsapp groups
    and yes many of them are setup by their kids, family members etc

    changing passwords is obviously a bad idea they will eventually reset it, more over most of the subscriptions are auto renewed.. so we can use them as long as the account is renewed
  • 1
    “Cricket streams exclusively on HotStar”

    Star Gold par bhi aata hai bhai.
  • 1
    @Cyanide vo tv channel hai na, mai streaming ke bhare me bol raha hu..
    vaise bhi sab star India hi hai na
  • 1
    Another point is that there's no real harm for the user if their credentials for a service like this is leaked. At least there shouldn't be. The account exists only to verify that the user has paid for the service.
  • 3
    @theabbie @linus-torvald @electrineer @Cyanide tum chaaro ne mil ke kya chutiyap macha rakha hai yaha..
  • 2
    @F1973 Hahaha! Sorry Baba!
Add Comment