Overnight, some Hubbl users began flagging an email from the Foxtel-owned streaming box company indicating their accounts had been compromised.
It turns out that some Hubbl owners have been subject to a ‘credential stuffing’ incident, and while it’s not as dramatic as a data breach or cyber attack, it’s a good reminder that you should never use the same usernames and passwords over and over again for different services.
While Hubbl’s systems were not compromised, credential stuffing is still very much a security incident, which is why some users were sent emails.
The email was sent to affected customers notifying them of a ‘data security incident’; according to the email, the incident occurred between March 18 and April 17 2024.
“We have recently become aware of a data security incident where an unauthorised third party may have gained access to your Hubbl account for your Binge and Kayo service, using credentials that may have been previously leaked online from other sources,” the email to impacted customers, viewed by Gizmodo Australia, reads.
“During this attack, your username and password were successfully verified against Hubbl’s systems which would have allowed the unauthorised third party to gain access to your Hubbl account.”
According to the email, full names, email addresses, phone numbers, and masked credit card numbers of impacted users may have been exposed to a bad actor.
A Foxtel spokesperson provided Gizmodo Australia with the following statement:
“Our customer accounts are monitored 24/7 for suspicious or unusual activity. In some cases, we discover that, unrelated to our systems, customers are a victim of ‘credential stuffing’. This is the automated injection of stolen usernames and passwords into website forms. In other words, the email and password the customer uses for their account is duplicated somewhere else online and has been obtained by a bad actor and used to access their account. We encourage customers to be disciplined in the protection of their passwords, ensuring they are strong, unique, and not shared.”
What is credential stuffing?
Credential stuffing isn’t as severe as a data breach, but it is still worthy of note, and it’s important to clarify the difference. Per OWASP, credential stuffing occurs when a bad actor obtains the username and password of a user’s particular account, takes that information, and attempts to use it on a bunch of different websites. The bad actor may have obtained the information from a separate data breach or a phishing attempt.
The streaming box provider, which launched in Australia on March 10 to compete with the likes of Apple TV and Google Chromecast, has reset impacted customer passwords, and blacklisted the IP of the unauthorised user so that they can no longer access the account.
“You should have received an automated email from us advising you of your password reset, so please follow the links in that email to reset your password,” the email adds. Hubbl also said it was continuing to monitor for malicious activity.
The Foxtel subsidiary is also recommending that customers change passwords and security questions of other accounts if they are the same for the Hubbl account, and is urging impacting users to remain vigilant for scams.
Image: Hubbl