The highly-anticipated Disney+ streaming service already suffered from hacks – just hours after the launch, thousands of user accounts were already on sale on the Dark Web
Online web streaming platforms proved to be extremely successful, and services like Netflix, Hulu, Amazon Prime, and others rack up millions of paying customers worldwide – it is widely accessible and relatively cheap for many. In recent months, all the hype was directed towards the new Disney+ service, which would allow viewers to see various blockbusters from Disney, Lucasfilm, Pixar, Marvel, National Geographic, among others, on-demand.
Upon its release on November 12 in the United States, Canada, and the Netherlands, the service was ordered by whopping 10 million users, although not everything went as planned: users were unable to view the contents due to login errors,[1] the official website went offline, and, as it turned out, multiple users started complaining about their accounts being hacked just hours after Disney+ was launched.
According to ZDNet,[2] multiple listings were found on the Dark Web that offered Disney+ user accounts either for free or for as low as $3-$11 per account. Just as expected, considering the hype surrounding the new service, the price for the streaming accounts is a few times higher than those of Netflix or Hulu.
Password reuse is the most likely cause of the Disney+ account compromise
Users by now are used to creating new accounts regularly, and many are choosing to reuse the same login credentials (or password) for multiple accounts. However, this is one of the worst practices that can easily lead to the personal data leak and result in various other issues, as accessing the account also provides hackers a way to acquire other personal details, such as names, emails, and even credit card details.
The problem with password reuse is that, in case sites that the password is used on gets compromised, it gives attackers what they need to break-in to multiple other accounts thanks to the automated brute-forcing technique. In other words, by using automated software, cybercriminals can access thousands of accounts almost instantly, and then sell them on the Dark Web. This is most likely what happened to thousands of users the bought the Disney+ subscription, patiently awaiting its launch. Unfortunately, they got more than they bargained for.
User complaints filled social networks
Certain type of difficulties is kind of a norm during the launch of major services – nobody wants them, but they are often there. On November 12, some users who tried to log in to their Disney+ accounts failed to do so, but not because of technical difficulties that the service was experiencing, but rather credential compromise.
Users on Reddit, Twitter, and other social networks complained that their Disney+ accounts are locked out, as unauthorized parties have accessed them and changed their password, as well as contact email address to prevent people from regaining the control via the automated confirmation service. One user on Twitter wrote:[3]
DISNEY+ HAS BEEN OPEN FOR LIKE 10 HOURS AND MY ACCOUNT HAS ALREADY BEEN HACKED
While some were rushing to blame Disney’s security practices, others were not so hasty and blamed the user himself:
Maybe you should have used a unique password. It’s not Disney’s fault if you recycle passwords and are already on lists.
Two-factor authentication can save many from account hacks
Even though it is true that most users are themselves to blame for such account breaches, there are several things that can be done to increase the security of all the accounts. For example, Google Chrome and other modern browsers provide password-managing services that do not require to remember credentials for each account. Even then, however, Google accounts can get compromised due to malware attacks.
While Disney did not agree to comment on the account hacks to ZDNet, there is something it can do – enable two-factor (2FA) authentication. Once activated, it complicates the hacking process for cybercriminals, as two pieces of evidence need to be presented to prove the identity of the user. Unfortunately, some malware was able to bypass even that.[4]
To conclude, while there is no method which would be able to protect your Disney+ and other accounts 100%, employing adequate security measures instead of ignoring all advice from security experts can make a great difference – more precisely, it can reduce the chance of being hacked by 99%.[5]