Thousands of Disney+ accounts have already been hacked, according to the BBC‘s reports. Since the streaming service went live last month, thousands of customers have reported hacked accounts that have since been sold on the dark web. Although many contacted Disney about the situation, many have yet to have their problems solved.
Many of these stolen accounts are being offered for free on hacking forums or are available for sale with prices ranging from $3 to $11 (roughly R175), despite the fact that a legitimate Disney+ subscription only costs $7 (roughly R110).
In its first 24 hours, the Disney+ video streaming service already managed to gain 10m customers even though it is currently only available in the US, Canada and the Netherlands. The service's launch was overwhelmed with technical issues though a few customers reported losing access to their accounts entirely. These users had their accounts taken over by hackers who logged them out of all of their devices and then changed the account's email and password to lock the previous owner out.
The hackers behind these account takeovers were able to mobilize quickly to steal Disney+ account credentials and make them available for sale online. This suggests that they either gained access to these accounts by either using leaked credentials from past data breaches or by using info-stealing malware. Hacking forums now have thousands of Disney+ accounts available for sale but ZDNet also discovered that some forums were giving away these credentials for free so that the hacker community could use and share them with others.
Technical program manager at HackerOne, Niels Schweisshelm explained how Disney can combat these account takeovers by implementing two-factor authentication for its service, saying:
"It’s no surprise that cybercriminals jump on the same bandwagon as everyone else when there’s a big new consumer launch. The scale of fresh accounts means it’s very much worth their while to invest in attempting to compromise them – cybercriminals can rely on consumers’ security apathy to give them an easy win."
"This research should act as a reminder to all consumers about the importance of securing online accounts with strong, complex passwords. The trouble is, Passwords are the worst option for secure authentication, but we don’t yet have anything better. For the foreseeable future, people will have to continue making passwords work for them, whether that is using personal algorithms to keep track of them or using password managers. Organizations can do their part by implementing and pushing or even mandating two-factor authentication so that even if passwords are breached, the damage is contained. However, I don’t think we’ll see easy, small-scale theft like that of streaming service accounts brought under control anytime soon.”