Disney+ Just Rolled out, and Thousands of Accounts Have Been Hacked Already
Disney+, the video-on-demand platform launched by the eponymous entertainment giant, is off to a shaky start. Even before the launch, users were not ecstatic about the fact that getting their favorite content could mean adding yet another subscription to their monthly bills. People in some of the major markets like the UK were also complaining that the service would initially be available in only three countries – the US, Canada, and the Netherlands.
Despite the criticism, there was a rather large wave of users willing to sign up for the service when it launched on November 12. In fact, it was so huge, Disney couldn't cope with it. Disgruntled users started having problems logging into and using the service almost immediately, and Disney had no other choice but to admit that there's an issue and ask users to be patient. Then, things got worse.
Cybercriminals successfully hijack Disney+ accounts within hours of the streaming platform's launch
Some of the login problems Disney+ users experienced shortly after the launch were caused by technical difficulties. For others, however, signing in was impossible because someone had hijacked their accounts.
As if to prove how quick and efficient they can be sometimes, hackers started successfully breaking into users' Disney+ accounts mere hours after the platform was launched to the public. Subscribers to the new service took to social media to report that someone had changed not only their password but also the email address associated with their Disney+ account, effectively locking them out.
Disney's support people were suddenly faced with a massive challenge as hundreds of users picked up the phone in an attempt to get their accounts back under their control. According to some, the customer service department's response wasn't especially quick.
The cause of the breach remains unknown
With so many people complaining on Facebook, Reddit, and Twitter, it was only a matter of time before the media caught wind of the story. ZDNet's Catalin Cimpanu was the first to report on the incident, and inevitably, he asked Disney to comment on the situation.
After receiving no response, he spoke to a few of the victims. Some of them admitted that their Disney+ login credentials had been used on multiple websites, but others claimed that their accounts at the brand new streaming service were protected by unique passwords.
If all this is true, this was more than a simple credential stuffing campaign. Unfortunately, the lack of an official announcement from Disney means that we can't say whether the attack was caused by password-stealing malware or whether it was the result of a breach in the entertainment giant's streaming platform. What we do know, however, is that the hackers are already monetizing on the compromised accounts.
Disney+ accounts are sold on the dark web for as little as $3 apiece
Accounts for streaming services like Netflix and Hulu have always been rather popular with people who trade stolen usernames and passwords on hacking forums and marketplaces. It is logical to assume that compromised Disney+ login credentials will appear on the illegal markets as well. According to ZDNet's report, this happened a few days now.
A set of login credentials for Disney's new service can be bought for just $3 from certain marketplaces, but the price can go as high as $11 apiece, which, preposterously, is more than the price you pay to open an account legally.
Be careful with your Disney+ account
Several problems are highlighted for the umpteenth time by this particular incident. First, you have the lack of any official communication from Disney. The underground adverts suggest that thousands of users have been locked out of their accounts, yet the company is unwilling to share any official details on what happened and why.
The fact that a company as big as Disney launched an online service without even giving users a two-factor authentication option also shows that even the large enterprises are not paying enough attention to people's security and privacy.
That being said, not all the blame should be laid on Disney. At least some of the affected users had reused the same password on multiple websites, which goes to show that they're still struggling to grasp the importance of unique login credentials and are exposing themselves to the ever more popular credential stuffing attacks.
And now that the hijacking campaign has attracted the attention of mainstream media, scammers will try to take advantage of it. For the last few days, people have been seeing fake emails allegedly relating to their Disney+ accounts. It's still unknown whether the links in these messages lead to a phishing page or whether they're used to spread malware. One thing that is certain, however, is that if you see a similar email in your inbox, you should approach it with extreme caution.