Disney+ user accounts hacked, credentials sold; company denies breach
Disney+, the streaming service from Disney, went live this week but things aren’t going as smooth for the platform as the company would have wanted. First, the service was hit with a series of outages on the day of launch. Now it has been reported that thousands of Disney+ subscribers have been hacked.
ZDNet had found stolen account usernames and passwords of Disney+ customers selling for $3 on underground hacking forums. The report notes that many Disney+ users found they were locked out of their accounts and unable to access the streaming service. Users have also posted about the issue on Twitter and Reddit, with many posting screenshots showing how their account password and details had been changed, effectively leaving them without access.
Both the BBC and ZDNET have found several accounts from Disney+ being sold online on the dark web. However, Disney has denied the claim of a breach saying that its streaming service is secure. The company says that it takes privacy and security of user’s data seriously and there is no indication of a security breach.
John Shier, senior security advisor at security firm Sophos says that the situation could have been the result of a credential stuffing attack, a phishing campaign against Disney+ users or the result of credential-stealing malware on users’ devices.
Shier explains, “Credential stuffing is when cybercriminals use leaked credentials from one website – which could already be for sale on the dark web – and try those same credentials on other online services.”
Shier says that this breach is a prime example of why people should have unique passwords across all of their online services. “As we’ve seen time and time again, cybercriminals are just as lazy as the rest of us. If they can get away with using a person’s previously compromised passwords across different services, that will be their default,” he adds.
Explained: Disney+ and the future of video streaming
Disney+ is quite popular, which is evident by the fact that it attracted 10 million subscribers the day it was launched. It also means that hackers would take this opportunity to try to hack the credentials of the Disney+ subscribers to cash in on the hype.
Shier says that cybercriminals could have sent out Disney+ phishing campaigns or credential-stealing malware and “unfortunately, the Disney+ platform does not appear to offer any kind of multi-factor authentication which would thwart these kinds of attacks”.