A week after launching, Disney+ — the online subscription streaming service from the Walt Disney Company — has been hacked and thousands of users found their account details compromised.
The compromised accounts are being sold for between $3 USD and $11 each on the dark web, ZDNet reported Saturday, but the how they were compromised remains officially unknown. Disney+ users started complaining of being hacked on social media shortly after the service launched, claiming those behind the hack changed their account’s email and password.
The hackers behind the account takeovers were able to quickly steal Disney+ account credentials and make them available for sale online, suggesting that they gained access by either using leaked credentials from past data breaches or by using info-stealing malware.
Hacking forums now have thousands of Disney+ accounts available for sale but ZDNet also discovered that some forums were giving away these credentials for free so that the hacker community could use and share them with others.
Technical program manager at HackerOne, Niels Schweisshelm explained how Disney can combat these account takeovers by implementing two-factor authentication for its service, saying:
“It’s no surprise that cybercriminals jump on the same bandwagon as everyone else when there’s a big new consumer launch,” explains Schweisshelm. “The scale of fresh accounts means it’s very much worth their while to invest in attempting to compromise them – cybercriminals can rely on consumers’ security apathy to give them an easy win.”
“This research should act as a reminder to all consumers about the importance of securing online accounts with strong, complex passwords,” Schweisshelm continued. “The trouble is, Passwords are the worst option for secure authentication, but we don’t yet have anything better. For the foreseeable future, people will have to continue making passwords work for them, whether that is using personal algorithms to keep track of them or using password managers. Organizations can do their part by implementing and pushing or even mandating two-factor authentication so that even if passwords are breached, the damage is contained. However, I don’t think we’ll see easy, small-scale theft like that of streaming service accounts brought under control anytime soon.”
Disney said the hacks likely stemmed from security issues that affected other companies, as it has seen no sign of a breach specific to the new service. The company generally locks users’ accounts and asks them to reset their passwords if its systems spot suspicious login activity, it said.
“Disney takes the privacy and security of our users’ data very seriously and there is no indication of a security breach on Disney+,” the company said in a statement.
Disney said its answer to Netflix beat expectations by gaining 10 million subscribers in its first day, despite the technical difficulties, which the company attributed to high demand. The Disney+ catalogue includes content from Disney, Pixar, Marvel and the Star Wars franchise.
Click here to sign up for Disney+ in Canada–it comes with a free 7-day trial and costs $8.99/month after or $89.99/year.