Thousands of Disney Plus accounts were hacked and sold online for as little as $3

Washington Post

19 Nov, 2019 08:06 PM4 mins to read

Disney Plus launched in New Zealand on 19 November. Photo / File

For sale: Disney Plus account, barely used.

Within hours of the streaming service's bumpy rollout last week, hackers commandeered user accounts: locking out owners, changing login credentials and, in many cases, selling them for as little as $3 apiece, a ZDNet investigation revealed.

Disney+ servers crashed early in the Nov. 12 debut, which the company attributed to extraordinary demand for its library of Disney television shows and movies, including the Marvel and Star Wars franchises and Pixar favourites such the Toy Story films; the service racked up more than 10 million customers in the first 24 hours. Now, scores of users are complaining online that they've lost access to their accounts. Many report spending hours in telephone and chat queues awaiting customer support from Disney, to no avail.

"Disney takes the privacy and security of our users' data very seriously and there is no indication of a security breach on Disney+," the company said in a statement emailed to The Washington Post.

Compromised accounts are cropping up on hacking forums all over the Internet, selling for $3 to $11, ZDNet found. A Disney Plus subscription costs $7 a month. On certain hacking forums, ZDNet found Disney Plus credentials being offered for free. BBC also uncovered several hacked accounts for sale online.

"It's no surprise that cybercriminals jump on the same bandwagon as everyone else when there's a big new consumer launch," Niels Schweisshelm, technical program manager at HackerOne, wrote Tuesday morning." This research should act as a reminder to all consumers about the importance of securing online accounts with strong, complex passwords."

Some users told ZDNet that they had reused passwords, leaving them vulnerable to credential stuffing, where hackers use login combinations gleaned from security breaches of other companies or websites. But many users on social media reported being hacked despite having unique passwords.

This problem is not unique to Disney. Amazon Prime, Hulu and Netflix have long faced similar struggles with hackers hawking accounts online or giving them away. (Amazon CEO Jeff Bezos owns The Post.) Uber dealt with some account theft last year, where consumers saw charges on their accounts for rides hundreds of miles away. Experts said it was likely that credentials had been stolen during a security breach Uber suffered in 2016, which the company hid for more than a year.

Like most streaming services, Disney Plus allows password sharing, meaning an account can be accessed from different devices in different locations, even far-flung ones. Disney Plus also does not have multi-factor authentication, which would require someone to confirm their identity beyond the standard login and password before successfully signing into an account. Multi-factor authentication often involves an additional security question, or a code sent to the user's email or phone.

"MFA does not guarantee that only the authorized user is indeed accessing the service, but it does help slow down or reduce the likelihood of bad-actors gaining access with only user ID and password credential," Jonathan Deveraux, head of enterprise protection for comforte AG, wrote this morning. "If this is the case with the reports of hacked Disney+ accounts, then Disney did not do anything wrong per se, but they could elect to look at increasing their security posture by upgrading their authentication program.

Currently, Disney Plus has launched in a handful of countries, including the United States and Canada. A new entrant to the increasingly crowded streaming landscape, Disney's streaming service boasts exclusive access for franchises such as Star Wars and Marvel, and for Disney's own shows and films.

Disney shares were up slightly in morning trading.

- Washington Post