Thousands of Disney+ Accounts for Sale on Hacking Forums
Disney+ is arguably the most highly anticipated media streaming platform of 2019. Yet within hours of its launch on November 12, thousands of accounts had been hacked due to users’ poor password choices.
The service, available now only in the U.S., Canada, and the Netherlands, amassed more than 10 million customers in its first 24 hours.
However, within the first day, it became clear that many Disney+ users had lost control of their accounts:
Not even been half of a week and my dad’s Disney+ account has ALREADY been hacked.
— Jesse (@CommandrBlitzer) November 15, 2019
#distwitter has anyone’s @disneyplus account been hacked? My friend’s was; hackers changed email and password. Now she’s completely blocked from her 3-year prepaid Disney+ account. She’s been on hold for >2 hours
— cat+dog=happyhome (@Travel4vr) November 12, 2019
DISNEY+ HAS BEEN OPEN FOR LIKE 10 HOURS AND MY ACCOUNT HAS ALREADY BEEN HACKED pic.twitter.com/YBv6CfwTlh
— brandon ʕ·ᴥ·ʔ (@brandoncult) November 12, 2019
Reporting for ZDNet, Catalin Cimpanu discovered several listings for Disney+ accounts on different underground hacking forums. The going rate for a hacked account was as little as $3.
For its part, Disney claims that its platform systems have not been compromised.
The culprit? People using the same password for many different accounts.
Of course, it can be exhausting these days to maintain a unique password for each of the countless online services. But password managers take much of the pain out of registering for a new account.
How Do Hackers Gain Access?
According to ZDN Net, “hackers are armed with billions of email addresses (likely including yours) and billions of previously-used passwords. Using automated brute-forcing tools they can quickly break into accounts en masse.”
Once hackers have gained access, they tend to move quickly. They revoke access to authorized devices and then change passwords to prevent legitimate users from logging back in. They’ll change the email address associated with an account, too. That stops users from using automated password reset tools to regain access.
Get started on your cybersecurity degree at American Military University.
Multi-factor authentication helps, but Disney has yet to roll out multi-factor authentication. So the best defense starts with a strong, unique password.
To add to Disney’s woes, the streaming service was plagued by technical issues on launch day. Many users complained about long wait times in customer service chats.
If you are thinking about signing up for Disney+, consider using a password manager to create a unique password for you that is difficult to guess. If you are already a member and are using the same password on Disney+ that you use for other online services, consider changing it.