The long wait is over.
Disney+, the new video-streaming service to rival Netflix and Amazon Prime, debuted last week to much fanfare, racking up 10 million subscribers within a single day of launch. Unfortunately, it wasn’t the kind of splash the majority of users predicted, as they were met with connection and performance issues out the gate—soon to be followed by reports of hacked accounts being stolen and sold on the dark web.
Disney+, on the other hand, didn’t expect to be overwhelmed with technical complications due to exceedingly high consumer demand. Nor do they admit to suffering a data breach, despite user complaints of being frozen out of their accounts or seeing their credentials changed without approval.
Things continue to unfold as we speak, but here’s what we currently know about the Disney+ security issues.
Disney+ user credentials in the dark web
For as low as US$3, interested buyers lurking on the dark web can acquire a trove of stolen Disney+ accounts, which popped up in several underground markets mere hours after launch last week. According to an investigation conducted by Catalin Cimpanu of ZDNet, “Hacking forums have been flooded with Disney+ accounts, with ads offering access to thousands of account credentials.” They also saw hacked accounts being offered for free use and for sharing.
The BBC, with the help of an unnamed cybersecurity researcher, further confirmed the sale of thousands of Disney+ accounts.
No smoking gun...yet
As of presstime, Disney denies that there was a data breach of its streaming platform, and no one has pointed to a root cause on how Disney+ accounts were hacked. However, there are smart speculations.
Users with hacked accounts may have used recycled credentials. And this won’t be a surprise if it's true. According to a Google survey, two in three Internet users reuse their passwords—some for multiple accounts, some for all of them.
Armed with leaked credentials from multiple data breaches, hackers likely used credential stuffing—the automated entering of compromised username-password combinations to target account forms, which in this case were from Disney+. This works under the assumption that users entered the exact combo in that service.
Disney+ also allows for password sharing, but its user interface doesn't include an option to easily log others out from account access. In addition, it doesn't require two-factor authentication, a security measure that could have prevented recycled credentials from being an issue.
Hackers may have guessed user passwords correctly. Another method hackers can use is password guessing. It seems silly, but this works, too, because many users are still so bad at making strong passwords and opt for easy-to-remember ones like "12345," "password," and "qwerty." Add in the difficulty of entering complex passwords via TV remote, and that makes this scenario even more plausible.
ZDNet noted, however, that even consumers who used unique passwords claimed their accounts were stolen. In that case, it is possible that…
Disney+ really was hacked or their user database leaked online. Not all companies fess up to being hacked right away, especially if they are in the middle of investigating the culprit/root cause. In addition, Disney has a documented history of cutting corners on investing in technology infrastructure. It's possible their databases were not properly secured and credentials actually leaked online, allowing threat actors to simply grab the information they needed without having to breach at all.
Users may actually have malware on their systems. It’s not a long shot, considering we have nasties like spyware and keyloggers in the wild. So many houses are Internet-connected through streaming services and other IoT devices, such as home assistants, thermostats, doorbell, security, and lock systems. These networked devices are notoriously vulnerable to attack.
Users may have been phished. Although there are no reports of an active phishing campaign against Disney+ users, we have seen a well-timed, professionally put-together phishing email fool even the cleverest of Internet users.
A Disney+ account lockdown is a security precaution
There are user complaints on social media wherein they claim to have been locked out of the Disney+ service. While this may suggest that hackers have successfully changed linked emails and passwords to affected accounts, it could also suggest that a security precaution Disney had put in place is working: When their system sees suspicious activity on an account during the login process, it locks that account down.
Of course, until Disney customer service confirms this to be true for affected users, we can only assume that finding yourself locked out is the streaming service’s way of protecting your account from getting compromised. Unfortunately, Disney made the mistake of linking its new streaming service with the rest of its platforms, freezing some users out of their other Disney services as well.
At the end of the day, there’s good news
There is big room for improvement, for both the users and Disney+.
Users should take this incident as a reminder of the importance of good password hygiene, such as creating unique and complex credentials and never reusing them. Chances are, online criminals already have some of your old passwords in their stash, so why continue to use them?
Heed what others have already advised and start using a password manager. There are a lot of options out there, so take your time and make sure you pick the one you think is for you. Because Disney+ doesn’t have another layer of account protection in place, such as two-factor authentication (2FA), it is more crucial than ever to use a randomly generated, long password that you don’t have to memorize.
Speaking of passwords, it’s also good practice to avoid sharing them with anyone, including friends and family members. Yes, Disney tolerates the practice of password sharing, but for security's sake, it's best not to. At the very least, consider introducing a little bit of friction in keeping your accounts secure. And this is true not just for Disney+ account holders.
There is no shortage of great suggestions for Disney+ to increase its security, too. Apart from implementing and mandating the use of 2FA (especially for linked Walt Disney accounts), the streaming service should also have provided a feature where a user can view other devices connected to their Disney+ account. Some also suggest that, since Disney also owns Hulu, Disney+ should have a feature that allows account holders to log everyone out in the event of a hack.
Disney+ is set to roll out in European countries and the UK in March 2020. Hopefully by that time, both users and Disney will have done more to ensure their accounts are secured, beefier protections are enabled, and performance issues are ironed out.