Former Netflix customers who cancelled their subscription months ago have had their accounts reactivated without their consent.
BBC Radio 4's You & Yours programme has learned that criminals can log in to dormant accounts and reactivate them without knowing users' bank details.
The video streaming service wants it to be easy for customers to rejoin.
As a result, customer data is held on the site for 10 months, including billing details.
Netflix says this information is available to members who choose to cancel and they will delete it all if requested by email.
Emily Keen from Oxford cancelled her Netflix service in April 2019, but found her account had been charged Â£11.99 by Netflix in September.
She said: "I tried to login to my account, but it said my email and password had not been recognised.
"It turns out the criminals had changed my login details completely and had signed me up for the most expensive service."
Ms Keen contacted Netflix customer services and was told her card would be blocked and she would be refunded.
However, Netflix went on to take two more payments in October and November, and refunded her only in part.
Former Netflix subscribers have been complaining on Twitter about it happening to them too:
There is a lucrative market for Netflix login details, with criminals selling "lifetime" accounts on eBay for as little as Â£3.
An eBay spokesperson told You & Yours that these listings were banned from the platform and that they would be removed and enforcement action taken against the sellers.
Netflix says the safety of its members' accounts is top priority, and members who notice any unusual activity on their account should contact them immediately.
Source : BBC