Why do Hulu and Netflix not use 2-factor authentication?

Numerous user complaints ask the same question. And, what to do if your account is compromised?

Ax Sharma
8 min readJul 12, 2020

--

Streaming service accounts get compromised all the time either due to data breaches, credential stuffing attacks from leaked databases, or simply because of users employing weak passwords.

How accessible a streaming service makes it for a rightful account owner to attempt recovery is what counts.

However, in the case of Hulu it may not be so simple, especially when a compromised account is too old, and let me explain why.

Yes, it happened to me (shame!). An ages-old disposable Hulu account I hadn’t used since college days, and which was setup with a lax password to trial the service, got compromised in January 2020. Personally, I didn’t care that much as this was a throwaway account to begin with, but it’s still better to keep what’s yours to yourself, so I attempted a recovery.

Not only had the attacker changed the account’s password, but additionally changed the email address linked to the account.

Hulu sends out a security notification when an account email address is changed.

Now, to be fair, Hulu did send out a security notification to the original email address informing me of the change, along with the “new” (attacker’s) email. Hulu’s recommendation was to call the 877 number to attempt an account recovery, “if you did not make this change.”

Mind you, calling U.S. toll-free (800 or 877) numbers from outside the U.S. can be incredibly painful. As of January 2020, which is when the account got compromised, I was no longer living in the U.S.

Once I did manage to get to the number via a VoIP phone, it had 30+ minute wait times at the time. After dialing on multiple occasions and eventually giving up on long hold times, I tried to find alternate means of contact: such as a web chat or ticketing system.

In what can be described as a catch 22, Hulu Help form requires you to log in first before contact with support can be initiated. Granted the security feature prevents unauthorized…

--

--

Ax Sharma

Security Researcher | Tech Columnist | https://hey.ax