From September 2021 to March 2022, the 30 year-old offender resold lists with about 500,000 usernames and password combinations for various online services. He had set up an online retail operation through which buyers could individually purchase the login information of legitimate and unsuspecting users. He also sold access in the form of lists.
The offender sold access to services that included HBO Max, Paramount+, TV2 Play, Viaplay and Podimo. He also sold log-in details via Discord.
“The convicted person used a data leak to obtain the login information of random customers at a number of online services… (and then) sold the information on both collectively and individually. This … allowed his buyers to abuse the accounts of real customers,” said NSK Deputy Director Brian Kaas Borgstrøm.
According to the Danish Rights Alliance, he received a 40-day prison sentence which was suspended, plus 60 hours of community service. In addition, an amount of DKK 1,733.70 (about US$250.00) and a PC were confiscated. The convicted person must also pay the costs of the case.
Further reading
Convicted of hacking and reselling users’ access information to streaming services. Press release. April 16, 2024. Danish Rights Alliance (RettighedsAlliancen)
Resale of leaked login information results in a prison sentence. Press release. April 15, 2024. National Unit for Special Crime (NSK – National enhed for Særlig Kriminalitet), Denmark
Why it matters
The sale of stolen login credentials is a common piracy business model which occurs around the world. Different jurisdictions apply different levels of penalty against pirates. In this particular case, the penalties might be sufficient for this particular offender, but other jurisdictions might see them as much of a disincentive. In some cases, fines run into the millions.
“The case is a reminder that data leaks can lead to misuse by customers. Therefore, it is a good idea if you as a user regularly change your password and do not use the same code across services,” said NSK’s Borgstrøm.
