“Disney takes the privacy and security of our users’ data very seriously and there is no indication of a security breach on Disney+,” the company said in a statement emailed to The Post.
Compromised accounts are cropping up on hacking forums all over the Internet, selling for $3 to $11 apiece, ZDNet found. A Disney Plus subscription costs $7 a month. On certain hacking forums, ZDNet found Disney Plus credentials being offered free. BBC also uncovered several hacked accounts for sale online.
“It’s no surprise that cybercriminals jump on the same bandwagon as everyone else when there’s a big new consumer launch,” Niels Schweisshelm, technical program manager at HackerOne, wrote Tuesday morning.” This research should act as a reminder to all consumers about the importance of securing online accounts with strong, complex passwords."
Some users told ZDNet they had reused passwords, leaving them vulnerable to credential stuffing, where hackers use log-in combinations gleaned from security breaches of other companies or websites. But many users on social media reported being hacked despite having unique passwords.
This problem is not unique to Disney. Amazon Prime, Hulu and Netflix have long faced similar struggles with hackers hawking accounts online or giving them away. (Amazon founder Jeff Bezos owns The Washington Post.) Uber dealt with some account theft last year, where consumers saw charges on their accounts for rides hundreds of miles away. Experts said it was likely that credentials had been stolen during a security breach Uber suffered in 2016, which the company hid for more than a year.
Like most streaming services, Disney Plus allows password sharing, meaning an account can be accessed from different devices in different locations, even far-flung ones. Disney Plus also does not have multi-factor authentication, which would require someone to confirm their identity beyond the standard log-in and password before successfully signing into an account. Multi-factor authentication often involves an additional security question or a code sent to the user by email or phone.
“MFA does not guarantee that only the authorized user is indeed accessing the service, but it does help slow down or reduce the likelihood of bad-actors gaining access with only user ID and password credential,” Jonathan Deveaux, head of enterprise protection for Comforte AG, wrote Tuesday morning. “If this is the case with the reports of hacked Disney+ accounts, then Disney did not do anything wrong per se, but they could elect to look at increasing their security posture by upgrading their authentication program.
Disney Plus has launched in only a handful of countries, including the United States and Canada. A new entrant to the increasingly crowded streaming landscape, Disney’s streaming service boasts exclusive access for franchises such as Star Wars and Marvel and for Disney’s shows and films.
Disney shares were up slightly in morning trading.