Italian police have dismantled CINEMAGOAL, an illegal streaming service that had a hidden and alarming twist: it secretly stole login credentials from real, paying subscribers of Netflix, Disney+, Spotify, Sky, and DAZN. Rather than hosting pirated content itself, the app silently grabbed your streaming service’s authentication codes every three minutes and passed them to piracy customers — meaning strangers could watch on your account while you paid the bill.
Operation “Tutto Chiaro” (All Clear) saw Italian law enforcement conduct 100 searches nationwide and seize servers in France and Germany containing the app’s source code. Authorities identified over 70 resellers and sent financial penalties of up to €5,800 to the first 1,000 identified subscribers. The estimated damage to streaming platforms is around €300 million. This attack method was described as “a highly advanced and previously unseen system” that bypassed standard security protections.
How to check if you’re affected
Affected products include Netflix, Disney+, Spotify, Sky, and DAZN accounts that may have been accessed without your knowledge. You can check with these steps:
- Review your watch history on each platform. If you see shows or movies you do not remember watching, someone else may have accessed your account.
- Check signed-in devices: In your account settings on Netflix, Disney+, and Spotify, look for a list of active devices or sessions. Remove anything you do not recognise.
- Change your password on each affected streaming service, then use the “sign out of all devices” option to kick out any existing sessions.
- Enable two-step verification on your streaming accounts if the option is available — it adds an extra lock even if your password is ever compromised.