Disney’s long-awaited streaming service, Disney+, launched last week to much fanfare, notching an impressive 10 million subscribers on its first day. However, within 24 hours of going live, it was reported that thousands of accounts have been hacked, with critical data stolen and sold onto the dark web.
Disney+ users began posting messages on Twitter and Reddit stating that their accounts had been compromised. Some users complained of being locked out of pre-paid accounts after receiving alerts that account information, including their password and contact details, had been changed.
Disney+ users have been hacked.
The hackers have stolen thousands of customer accounts, days after the launch of the service, and are selling the accounts on the dark web.https://t.co/KLXM86WluJ
— New York Daily News (@NYDailyNews) November 19, 2019
Commenting on the news are the following cybersecurity experts:
It’s no surprise that cybercriminals jump on the same bandwagon as everyone else when there’s a big new consumer launch. The scale of fresh accounts means it’s very much worth their while to invest in attempting to compromise them – cybercriminals can rely on consumers’ security apathy to give them an easy win. This research should act as a reminder to all consumers about the importance of securing online accounts with strong, complex passwords. The trouble is, Passwords are the worst option for secure authentication, but we don’t yet have anything better. For the foreseeable future, people will have to continue making passwords work for them, whether that is using personal algorithms to keep track of them or using password managers. Organizations can do their part by implementing and pushing or even mandating two-factor authentication so that even if passwords are breached, the damage is contained. However, I don’t think we’ll see easy, small-scale theft like that of streaming service accounts brought under control anytime soon.
An online streaming service is a whole new world for Disney, and as they ask customers to \”be our guest\” and \”put our service to the test,\” two-factor authentication would be a welcome addition.
Any customer who wishes to guard against account takeovers can adopt the worry-free philosophy of not reusing passwords from other accounts. A spoonful of cybersecurity, in the form of a password manager, could help the number of compromised accounts go down.
The details are unclear regarding the reports of hacked Disney+ accounts. At this time, there are no indications that point to a hack or data breach within the Disney cybersecurity program. What could be happening is a mass effort by bad-actors to use previously stolen user IDs and passwords. A quick search on https://haveibeenpwned.com/ reveals websites previously subjected to security events or databases exposed during hacking incidents. There are hundreds of incidents which contain millions of leaked user IDs and passwords.
What is missing from the Disney+ security service is multi-factor-authentication (MFA, also 2FA). MFA is a method in which access is granted only after two or more pieces of evidence a provided when signing onto a service. The password is one of the pieces; depending on how MFA is deployed within a service, a second piece could a code sent to the user\’s mobile phone, which is then entered at the time of login. MFA does not guarantee that only the authorized user is indeed accessing the service, but it does help slow down or reduce the likelihood of bad-actors gaining access with only user ID and password credentials.
If this is the case with the reports of hacked Disney+ accounts, then Disney did not do anything wrong per se, but they could elect to look at increasing their security posture by upgrading their authentication program.
Of course, there’s still the situation of user IDs – in use with other websites – which are the same user IDs at Disney+. This is a similar concern any company faces when offering a service online. In general, companies still need to protect user IDs and passwords from getting hacked through their website or from database security loopholes. One very effective way is to use data tokenization, which replaces user IDs and passwords with scrambled text, which has no usable value in hacking incidents. Strong encryption is also effective in reducing the likelihood of data exposure during a breach.