The Australian Federal Police (AFP) announced today that they arrested a man accused of selling stolen login credentials online. The unnamed man, a 21-year-old living in Sydney, Australia, operated a website called WickedGen.com that advertised having almost one million usernames and passwords for Netflix, Spotify, Hulu and other services. Police believe he generated AU$300,000 (about $211,000) selling the stolen logins.
Police in Australia were tipped off to WickedGen.com, which claimed to have about 120,000 paid users, by the FBI in 2018. While the arrest took place in Australia, the victims of the site were international and included people located in the US. When the administrator of the site was arrested by AFP yesterday, police seized "electronic materials and various amounts of cryptocurrencies" from his home.
According to police, the operator of WickedGen.com obtained the stolen accounts through credential stuffing -- a process in which an attacker takes usernames and passwords from a breach and attempts to "stuff" those credentials into other services. The process works because people often reuse passwords, so a breach of one service may result in obtaining logins for multiple other sites. If you were looking for a reminder to use unique passwords or to finally adopt a password manager, let this be it.