Skip to main content

Why would someone open a Netflix account using my Gmail address? [Resolved]

This is something that happened to me a few months ago. I don't know if it is a hack attempt, although I can't think of any way that there could be any danger or any personal information gained.

I don't have a Netflix account and never have done. I have a Gmail address which I have never used for public communication. Suddenly I started getting email to this Gmail address from Netflix - not a "Welcome to Netflix" email or one requesting address verification, but what looked like a monthly promo for an existing account. This was addressed to someone with a different real name, with that name not similar in any way to the Gmail name.

After a few of these messages I decided to investigate by going to Netflix and trying to log in with that email address. Using the "forgotten password" option I was able to get a password reset email, change the password and log in. The account appeared to be from Brazil, with some watch history but no other personal details stored and no payment information.

Soon the emails from Netflix started to ask me to update payment information. I didn't, of course, and then they changed to "your account will be suspended" and then "your account has been suspended". The "come back to Netflix" emails are still coming in occasionally.

I don't see how this could possibly be a phishing attempt - I carefully checked that I was on the real Netflix site, used a throwaway password not used on any other sites, and did not enter any of my personal information. I also checked the headers of the emails carefully and they were sent by Netflix. So is this just a mistake on somebody's part, mistyping an email address (although it's surprising that Netflix accepted it with no verification), or something more sinister?


Question Credit: user2760608
Question Reference
Asked May 16, 2019
Posted Under: Security
5 views
5 Answers

The most probable situation is that someone used an arbitrary Gmail address (yours) in order to sign up for a free trial, or mistakenly tried to change their email to the wrong address (maybe to have a friend/family also get emails).

This would not be a "hack" or even a phishing attempt, just using any available address. This does mean that your Gmail address could not be used for a free trial at Netflix, so there is that negative impact to you.

As a side note, by logging into someone else's account, you have violated many country's "unauthorised access" laws. I would not make a habit of doing this (or telling others on public sites that you have".


credit: schroeder
Answered May 16, 2019
  1. Because of the "dots don't matter" gmail policy, this is not likely to be someone else's bona fide Netfix account, unless a typo has occurred in the name other than dot placement.
  2. Even so, you should not hijack this account, it is not yours. So no changing the email address to another domain.
  3. The scam depends upon you having a Netflix account, and using your gmail address for logon.
  4. They are unlikely to have harvested your gmail account from Netfix, nor one that is "dot agnostically similar" (!), but again, typos.
  5. Just send a good example to Netflix, and create a rule to bucket future emails.

I don't even use my gmail address for Google.


credit: schroeder
Answered May 16, 2019

This is a common occurrence due to e-mail address confusion.

I get dozens to hundreds of e-mails from legitimate companies (car dealers, LA dept of water and power, Macys.com, cell phone activation notes, the payroll company ADP, and Nationwide insurance) from people with my first name and an initial matching my last name.

The companies could solve it AND improve security with a "double-opt-in" step of requiring you to confirm an e-mail address before it's used.

The worse was in early 2019, when I received medical records (Lab results in a .PDF file) - a clear HIPAA violation, since e-mail isn't an authenticated or encrypted communications channel. The "medical records" person, who should know the law, was the sender of the e-mail.

In my case, none of them are nefarious, but represent clueless users or even worse, clueless sales clerks (such as Lenscrafters in Maryland), the Apple store in Manhattan, and others too numerous to mention.

If people want to make up an address - then first.last@example.com - is the best one to use. It is invalid by definition in the Internet RFCs.

In hindsight, I realized that my gmail address is too short, and it should have the same length as a password (about 15 characters).


credit: The Programmer
Answered May 16, 2019

There's another possibility that nobody else has identified. Someone created a trial Netflix account with your gmail address in an attempt to see if you already have a Netflix account.

If the UI returns that that email address is already used, then it identifies it as an account to try dictionary based login attempts against.


credit: Steve Sether
Answered May 16, 2019
Your Answer