Hulu and Security

This morning, I woke up to a surprising email:

Wtf, this wasn't me. It must be a scam. I assumed it was just a phishing attempt that got through Gmail's filters. So I checked the headers and tried logging into hulu.com. Low and behold: my existing password was incorrect. Crap. Someone had gained control to my account.

Hulu's "if you did not make this change yourself" link takes you to the reset password form, which requires your email address. Similar to most forgot password flows, they send you an email with a link that allows you to enter a new password. However, this only works if your email on the account is still the same. In other words: because the attacker had changed the password, I was screwed. They were receiving the password reset links, not me.

So I called Hulu and asked them to help. The first lady who answered wasn't very polite nor helpful. She told me that I'm basically out of luck. Because I've been using PayPal for the past 4 years, there's no identifying information that she can use to find my account. Not her fault, but whomever designed this system should strongly consider rethinking it. I have numerous devices connected, I can give you transaction ids from 4 years of PayPal transactions, and my previous email. None of those work. Unbelievable.

I asked for a supervisor thinking that they might have access that goes above and beyond whomever I was speaking to and was transferred to... Amazon? Huh? While holding the phone with my crinked neck sandwiching it between my shoulder and ear, I opened my laptop and did some quick investigating thinking, Did Amazon acquire Hulu? Turns out they didn't, and the lady was either being a jerk or their phone system is buggy. I hung up.

Attempt number two. This time I got Charles. He was much more pleasant and sounded empathetic. His thoughts were that I'm basically out of luck and need to have PayPal cancel the monthly subscription and then create a new hulu account. For what it's worth, I've had a hulu plus account since 2011. This is a bummer. They don't store any information about email account history and the only information that can identify an account is all user changeable. That means that once someone has access to your account, they can change everything about it so it looks like they are the new owner. No history of email changes or name changes are stored. They couldn't look up my Roku or other devices that I have connected to the service to find my account.

PayPal transaction ids are worthless to them. They tried to tell me that it's PayPal's fault since they are the billing system, but in my experience that's completely untrue. They could have gained access to my address through PayPal, they could have sent the subscriber ID through to the recurring PayPal transaction. More on this later.

The support team is running out of ideas. I'm starting to lose my patience. How could this happen? How could they not keep track of changes to an account? Isn't changing a password followed by an email change suspicious? Did they really expect me to cancel my account and start a new one because it was compromised? In the past 6 years of emails from Hulu, there's no subscription, user or account id that I can provide them with. I felt irritated and defeated.

Luckily, I found a few security holes in Hulu's system that allowed me to regain access to my account. First: I was logged into Hulu on one of my other computers. Changing an account's password does not boot you out of Hulu or make you re-authenticate. In-fact, you can have a bunch of people logged into Hulu without worrying about what will happen if you change the password. That means I can attempt to view the account on the other device. So now that I discovered this, I was able to figure out what the email address of my account had been changed to, because when you click on "account", this is what you see:

Bingo. This is the email address of the user who tried to steal my Hulu account. Not only did their sub par security allow an attacker to gain access to my account, but it also allowed me to regain control. Touché.

Now I could end here, but I think it's much more valuable to provide tips and suggestions that I believe would have helped in this situation.

  1. When an email address is changed, send the old email a message letting them know. They claim to do this, but not in my scenario.
  2. Store a history of email address changes in a security ledger. If someone compromises an account, you can use this information to look up the old email address and/or reset it. Plus, knowing the history also means knowing that you're not being socially engineered. (For what it's worth: they didn't verify that it was actually me and my account, I could have been anyone taking control of a Hulu account).
  3. Don't send a customer to a billing system to solve an issue with an account that's been compromised on your service. Hulu should have the know how to remedy the situation without blaming PayPal. Providing them with a PayPal transaction ID should be sufficient to look up an account.
  4. Have a security policy. If it can go wrong, it will. Train everyone on how to handle things that do go wrong. The customer support rep said, "I've never seen this happen before." A policy and some basic training on these issues, which happen to everyone, could have greatly alleviated the deflation in his voice and the annoyance of the situation.
  5. If you change a password: invalidate current sessions. I'm still not sure if the attacker has access to my account after changing my password.

I got lucky. For someone who doesn't have multiple computers logged into Hulu, they would have been screwed. The only way out is to cancel your card or subscription through PayPal.

They did refund one month of my Hulu Plus subscription – that was nice.

Update: As a bit of an experiment, I recently changed my email address to a new email and I did receive a confirmation email, but only to the new account. My old email address received nothing. No message stating that it was udpated and no message that it no longer the email on record.

Comments