Former Netflix customers who cancelled their subscription months ago have had their accounts reactivated without their consent.
BBC Radio 4's You & Yours programme has learned that criminals can log in to dormant accounts and reactivate them without knowing users' bank details.
The video streaming service wants it to be easy for customers to rejoin.
As a result, customer data is held on the site for 10 months, including billing details.
Netflix says this information is available to members who choose to cancel and they will delete it all if requested by email.
Emily Keen from Oxford cancelled her Netflix service in April 2019, but found her account had been charged £11.99 by Netflix in September.
She said: "I tried to login to my account, but it said my email and password had not been recognised.
"It turns out the criminals had changed my login details completely and had signed me up for the most expensive service."
Ms Keen contacted Netflix customer services and was told her card would be blocked and she would be refunded.
However, Netflix went on to take two more payments in October and November, and refunded her only in part.
Former Netflix subscribers have been complaining on Twitter about it happening to them too:
Super disappointed with my @netflix customer service experience. Our account was hacked, supposed to have been deactivated, was reactivated by hacker, and continued to use our credit card. We were told to file chargeback and @netflix would not offer refund.— Porter Plant (@PorterPlant) October 29, 2019
There is a lucrative market for Netflix login details, with criminals selling "lifetime" accounts on eBay for as little as £3.
An eBay spokesperson told You & Yours that these listings were banned from the platform and that they would be removed and enforcement action taken against the sellers.
Netflix says the safety of its members' accounts is top priority, and members who notice any unusual activity on their account should contact them immediately.