Everyone knows someone who gives their friend the password to their HBOMax account. Who gives it to their other friend, who passes it along to their cousin. And so on. That password ends up accidentally somewhere online, and the original user loses complete access to their account and personal information, including payment details, exposed to a bad actor online. A study by Country Financial found that 74 percent of Americans share passwords for at least one online account, such as Hulu, Uber, Spotify, and Amazon Prime. With each hand-off, the likelihood of login credentials falling into the wrong hands increases drastically.
From a business perspective, this inherently contains many risks, including account takeovers and lost revenue. Unfortunately, instances like the one above are rising, and companies are losing billions of dollars. According to the research firm Parks Associates, companies lost $9.1 billion to password piracy and sharing in 2019. With the number expected to rise to $12.5 billion by 2024, this is a very timely and critical issue.
While account sharing is a high-profile issue for streaming services, many other industries, including healthcare and online gaming, struggle with account sharing. Unfortunately, these other instances of account sharing can have more grave consequences than an account takeover or a loss in revenue, such as governmental and legal repercussions.
This guide will go through some of the most publicized examples of account sharing causing issues for companies and their customers in recent years. We will also cover some methods these businesses use to catch and prevent account sharing without negatively impacting their customers' experience.
Table of Contents
- Why do users share accounts?
- The risks of account sharing for businesses and consumers
- How are streaming companies responding to account sharing?
- Beyond streaming: account sharing in other industries
- Preventing account sharing
- How to (actually) prevent account sharing
- The bottom line
Why do users share accounts?
While more recently in the spotlight, account sharing is nothing new. It's been going on for years, with people sharing everything from Netflix and Hulu passwords to file-sharing accounts like Dropbox.
There are several reasons why people choose to share their accounts. For some, it's simply a matter of convenience. For example, if you have a family of four trying to watch different shows on Netflix simultaneously, having one account that everyone shares can be easier (and cheaper).
For others, it's a way to get around paying for multiple subscriptions. For example, if you and your roommates are all trying to save money, you might decide to split the cost of a Netflix subscription instead of each paying for an individual account.
For this reason, account sharing is becoming increasingly common, and companies are losing out.
The risks of account sharing for businesses and consumers
The risk to consumers
When subscribers share their passwords, they're often putting themselves and their data at risk.
Sharing passwords is widely accepted by most consumers, but it exposes users to many risks. When you share your password with someone, you're giving them access to your account – and all of your personal information. Depending on the service, this could include your email, contact lists, financial information, and more.
Even if you trust the person you're sharing your password with; there's no guarantee that they won't accidentally expose it to someone else. Anyone, including fraudsters, can access your account without your permission once a password falls into the wrong hands. Fraudsters successfully obtain passwords through several different methods, including credential stuffing and phishing attempts, among other ways. And if that happens, you could lose control of your personal information.
To make matters worse, a shocking 72 percent of people reuse passwords for their accounts - a core method fraudsters use for credential stuffing. Unfortunately, that means that if someone gets their hands on your password, they could also gain access to other accounts.
The solution? Don't share your passwords. And if you must, use a different password for each account. That way, even if one of your passwords is compromised, the rest of your accounts will remain safe.
The risks of account sharing to businesses
According to a new report from anti-fraud firm Sift, account takeover attacks are on the rise, with financial services firms facing an 850% increase in attacks from Q2 2020 to Q2 2021. And while often thought of as a harmless act, account sharing is often a contributing factor to these takeovers.
When multiple people share an account, it opens up the opportunity for bad actors to gain access. They can do this by obtaining login credentials through phishing attacks or other methods and then using them to log in and take over the account. These actions can be especially damaging if the account is used for business purposes, as sensitive data and financial information may be compromised.
Account takeovers ultimately cost businesses money. Once fraudsters gain access to accounts, they can access sensitive information such as payment information (and can validate it as a valid payment method). They can then attempt false charges on either the original account or elsewhere, likely resulting in a chargeback. You can learn more about preventing card testing on your site without adding friction to checkout flows.
Loss of subscription revenue
Lost revenue due to account sharing can be a high priority for affected businesses. And for the largest companies, that lost revenue can total billions of dollars over time. For example, account sharing revenue loss is estimated at least $12.5 billion by 2024. Paying customers, unfortunately, may be bearing the burden of this loss, as services like Netflix have been raising prices as their subscriber base stagnates.
How are streaming companies responding to account sharing?
The issue of account sharing has come into the spotlight for streaming services recently after Netflix announced that it would be cracking down on users who share their passwords with others. However, Netflix is far from the only streaming company affected by account sharing - almost all streaming giants have either spoken out or changed policies to combat account sharing issues in recent years, including Spotify, Amazon, and HBO.
At one point in time, these same companies encouraged account sharing. In 2016, for example, Netflix CEO Reed Hastings said that he was okay with people sharing their Netflix passwords with others, as it helped to promote the service.
Similarly, HBO's CEO said the company was okay with account sharing, as it allowed people to sample the service and ideally upgrade to a full subscription.
However, times have changed, and companies are much less tolerant of account sharing, possibly due to sharing becoming more prevalent than ever. A Hub Entertainment Research study found that over 30 percent of consumers say they've given one of their online TV service passwords to someone not living with them. Among the Gen Z crowd (13-24-year-olds), that number jumps to 80 percent. And with Gen Z quickly becoming the largest consumer group, account sharing will only become more common over time.
Additionally, there's more competition in the streaming world than ever, and margins are razor-thin. As a result, companies can no longer afford to subsidize account sharing.
Netflix's heavily publicized account sharing problem
A late 2021 report by the firm JR Research, published on Seeking Alpha, explained a "confident" prediction that Netflix's ($NFLX) stock would reach $800 due to momentum and content leverage.
However, $NFLX now hovers at just over $200, following its first quarterly loss in subscribers in a decade. The account sharing issue is partially to blame, as the company estimates that 100 million households access Netflix through a shared account. That comes to nearly a third of viewers utilizing a service they do not pay for.
In response to the losses, Netflix is taking a hardline stance on account sharing, instituting new policies that will make it more difficult for users to share their passwords with others without them paying. That said, it's also a revenue opportunity, as Netflix aims to monetize sharing.
They're already testing paid sharing features in some markets, which would allow users to add additional people to their accounts for a monthly fee. It is unclear how successful this strategy will be, but it's clear that Netflix is taking the issue of account sharing seriously.
Once a viral marketing tool, account sharing has become a thorn in the side of the streaming giant, and it's not alone. Other companies are also struggling to deal with the growing phenomenon.
Spotify's 2018 approach to account sharing
The Verge reported in 2018 that Spotify was cracking down on people sharing accounts. The article said that Spotify was using GPS data to verify that people who signed up for the Family Plan (a discounted monthly rate for up to six people) were living at the same address. If they weren't, Spotify would suspend their accounts.
While a controversial move at the time, it's unclear how effectively it prevented account sharing. However, with that said, it does show that companies are willing to take drastic measures to combat the issue.
Using GPS data alone, however, is not a foolproof method. It's easy to spoof your location, and people can (and do) live in different parts of the country but still share an account. In addition, many families have members living in other states or countries. In the case of Spotify, their terms of service stated that the family plan was intended for members of the same household, but this rule does not exist for most streaming services today.
The core issue is that using a single metric - GPS data, in this case - is not enough to accurately verify that people are who they say they are. In addition, there are many ways to game the system; simply using GPS data will not cut it.
Amazon Prime's response to account sharing
Amazon's subscription revenue, including Prime, brings the e-commerce giant over $25 billion annually. To strengthen their ever-impressive profit margins, Amazon is banking on people not sharing their Prime accounts. So naturally, the company has taken a stand against account sharing, limiting the number of people who have access to its Prime service to just two, down from the previous limit of four. In addition, they've instituted additional policies like the ones listed below to discourage and disincentivize Prime members from widely sharing their accounts.
"To share Prime benefits and digital content between adults, both adults must link their accounts through Amazon Household and agree to share payment methods. Both adults will keep their accounts while sharing Prime benefits. To share Prime benefits with your teen, add the teen to your Amazon Household"
Other streaming services
As Axios reports, HBO Max also aims to limit account sharing, and they only let up to three profiles within the same account stream simultaneously. Similarly, Hulu with Live TV requires you to pay to stream from one account with more than two devices simultaneously.
Lastly, with Disney+, one statistic estimates that five people share an account for every one paid subscriber. In Spain, Disney+ even went as far as to send out a survey earlier this year asking their users why they share their accounts. The most common response was that the other people "didn't want to pay" for the service.
Beyond streaming: account sharing in other industries
Password sharing isn't just a risk to the bottom line of subscription-based businesses like Netflix and Spotify. It's also a significant problem for many other industries, including healthcare, academia, gaming, and more.
Account sharing in healthcare
Account sharing in healthcare is a significant issue, and the most considerable risk is violating HIPAA requirements. Unfortunately, account sharing is quite common in healthcare settings and causes more harm than good. For example, in a recent international study, 73.6% of those surveyed reported receiving a team member's password.
While this might seem a good idea at the time, shared passwords among varied healthcare professional levels (such as a nurse accessing a doctor's account) affects audit logs and user action trails. Those logs and user action trails are needed to submit invoices and records to collect payments from insurance companies.
Account sharing in education
While security concerns are undoubtedly paramount in the healthcare industry, it's not the only area that can benefit from preventing account sharing. Any industry that relies on subscription-based services or access to sensitive data can use this technology to improve security.
Education is one such industry. In a recent study by Carnegie Mellon University, researchers found that 74% of respondents (primarily staff and student researchers) shared their accounts securely through either an Enterprise Random Password Manager (ERPM), an individual password manager, or unofficially through ad-hoc methods like plaintext messages stored in a group chat.
The study's participants were motivated to share their accounts primarily because they perceived them as low-risk and essential for saving money. They also indicated that security was secondary to other priorities, such as research, and that trust in colleagues and the institution was a social norm.
One of the challenges facing academia is that their IT systems are often less rigid than in other industries. This is due to the need for academic freedom, which means that institutions need to be able to accommodate a wide range of research activities. As a result, it can be difficult to enforce security policies and procedures.
Account sharing in gaming
With $300 billion in revenue, the global gaming industry is no small potatoes. But account sharing remains a big issue for gaming companies, which regularly ban thousands of players from sharing their login information.
Blizzard, for example, recently did a wave of account sharing bans, affecting many players. Steam also has a strict policy against account sharing, stating: "You may not reveal, share or otherwise allow others to use your password or Account except as authorized by Valve."
Mobile gaming companies similarly have policies against account sharing. For example, Supercell, which makes the popular Clash of Clans game, warns players that "selling, buying, sharing, or giving game accounts to other players is against our terms of service."
Further, Tencent Games, the creator of PUBG Mobile, has a support page warning players that "we do not support trading or sharing of the game accounts" and that "any activities done against game policy and terms may lead to a permanent ban on that account." And Wargaming notes that "players must keep all account information confidential."
Gaming companies of all shapes and sizes are taking a stand against account sharing, which cuts their profits, disrupts gameplay, and threatens the security of player information. Despite these policies, account sharing is still rampant in the gaming world, which hurts bottom lines and causes friction between players. Smaller gaming studios are especially hard-hit by account sharing, as they can't afford to lose even a few paying customers.
In gaming, account sharing happens for more nefarious reasons than just sharing with a friend, like trying to sell boosted accounts or power-leveling services. It hurts the game companies and spoils the experience for other players working hard to level up somewhat.
Preventing account sharing
Common account sharing prevention challenges
Accounts sharing isn't an easy problem to solve. If it were, global companies like Amazon and Netflix would have solved it by now. The reason it's hard to solve lies with how logins are commonly used by the vast majority of folks who are not sharing their accounts in an unauthorized way. There are a few common challenges when preventing account sharing. Let's talk about three of them.
An IP address, or Internet Protocol address, is a unique numerical identifier assigned to every device connected to the Internet. For example, your IP address gets logged when you visit a website. At a basic level, an IP address is like a mailing address for the Internet. Just as your home address tells the post office where to deliver your letters, an IP address means the Internet where to send data.
Internet service providers (ISPs) assign IP addresses to customers when they connect to the Internet. For example, an ISP can give each customer a unique IP address or a range of IP addresses to customers and have them share a pool of addresses.
When a website sees an IP address, it can use that information to determine where the user is. For example, the website will most likely want to know what country the user is in to show the correct language or target advertising.
In some cases, though, businesses may want to take action if they see multiple users sharing an IP address. For example, a company might want to ban users who share an account with an IP address associated with fraud or abuse.
However, there are several problems with relying on IP addresses to identify account sharing:
- Users may log in from a public internet source, meaning many users may intentionally share the same IP address. (Examples include university students accessing accounts from their dorm rooms or elsewhere on campus.)
- Some users may have dynamic IP addresses, which could change over time.
- Users can use proxy servers or VPNs (Virtual Private Networks) to mask their IP address and make it appear as if their location is a different country or region.
Cookies are small pieces of data stored on your computer when you visit a website. Cookies are multipurpose, including remembering your login information or tracking your browsing history.
The website will send a cookie to your computer when you visit a website. The cookie will contain information about the site, such as the domain name and a unique identifier. This identifier is usually a random string of characters. The next time you visit the site, the browser will send the cookie back to the server, letting the site know you're a repeat visitor and can tie this visitor to your previous visit(s).
Some cookies are session-based, which means they only last for the duration of your visit to the website. Others are persistent, which means they remain on your computer even after you've closed your browser or turned off your computer. Persistent cookies track your behavior across multiple visits to a website or even across different websites. For example, advertisers often use persistent cookies to track your behavior on websites that use their services.
Multiple device account access
Streaming service subscribers will most likely access their subscriptions on multiple devices throughout the life of their account. This includes numerous Smart TVs, tablets, cell phones, and laptops. Every device may be valid devices all by only one account user. Limiting devices is tough in situations where it makes legitimate sense to allow a user to utilize multiple devices in which to access their account regularly and even simultaneously (for example, YouTube or Spotify).
Some services allow a user to be logged in simultaneously on multiple devices, but only allow a user to stream content from a single device at a time. An example is Sling TV, where, on some subscription levels, you can log in on multiple TVs but only stream live television content from one device simultaneously. If a user attempts to stream content from a second device while one device is streaming, the content on the original device will pause, and the content will begin on the second device.
While this is easier to enforce in some instances, on some streaming services, it becomes more complicated when taking families into account. For example, one primary account holder could be a household parent and want to utilize their streaming subscription to stream content for themselves on one device and for their children on an additional device simultaneously. Limiting devices, in that case, is less enticing for a subscription streaming service looking to provide a flexible customer experience to their users.
Similar to IP addresses, limiting devices becomes more complicated when accessed via a public WiFi or computer, such as a university library computer.
However, that functionality makes account sharing much more accessible for those looking to share their login details with their friends and family who do not live with them. Sometimes not even in the same state or time zone.
So, what is the best way to prevent account sharing without overly reducing the user experience to that pay and validly use the service?
How to (actually) prevent account sharing
Businesses ultimately want to prevent account sharing from preventing revenue loss and potential security data breaches. In this article, we discussed in depth the common challenges of trying to curb account sharing among users of the software, how some larger companies such as Netflix and Amazon are tackling the issue, and how prevalent it is in other industries outside of consumer streaming and shopping services.
We also discussed that relying on IP addresses, cookies, device limits, or some combination of them isn’t enough to combat account sharing effectively. Instead, businesses that want to successfully decrease the prevalence of unauthorized account sharing among their users must implement better verifications methods such as device identification.
Let’s talk about a couple of ways a business can work to decrease the frequency of shared accounts.
Add Extra Login and Device Verification Steps
Businesses can require two-factor authentication for all sign-ins or user validation each time the user logs into a new device. In practice, this can look like text messages or activation codes (think streaming services) when attempting to log in through a new device. Again, though, it's not a catch-all because generally, if a user shares an account with someone else, they have regular contact with that person and can send them the verification or activation code in almost real-time.
Another way to prevent subscription sharing is to enforce session timeouts and time-based force-based logouts. So, after 90 days, for example, users will need to log in and verify their account before being able to utilize the account. This creates friction between those that own the account and those who may be using the shared account and could de-incentivize account owners from sharing their accounts with others.
Invest in Visitor Identification Software
Suppose you don’t want to bring additional steps to login or degrade the overall customer experience of the software. In that case, there are more passive ways to verify that only a small number of devices are accessing the account. This is where device identification comes into play.
Adding software that can help identify unique devices and associate those with a login can help curb the rate of account sharing. This includes software such as Fingerprint Pro, a 99.5% accurate device identification solution for businesses that want to up their account sharing prevention game.
Device identification relies on more than IP addresses and cookies to identify users. By combining over a hundred unique signals through machine learning, and without compromising a user's privacy, you can identify unique users with up to 99.5% accuracy. Furthermore, due to the multitude of signals used, Fingerprint Pro can uniquely identify users even when they are in incognito mode or visiting from a VPN.
We've helped many businesses curb accounts sharing, including a major EdTech company, where implementing Fingerprint Pro increased revenue and preserved their CSAT score among customers.
The bottom line
Companies in virtually all industries lose billions of dollars annually to account sharing. Sharing login credentials has become so common that 74 percent of Americans admit to doing it. Businesses need to take a multi-faceted approach to combat this issue long-term, including transparent terms, enforcement of those terms, and the use of digital fingerprints.