Disney’s New Streaming Site Hacked With Customer Data Sold On Dark Web – Experts Reactions

Disney’s long-awaited streaming service, Disney+, launched last week to much fanfare, notching an impressive 10 million subscribers on its first day. However, within 24 hours of going live, it was reported that thousands of accounts have been hacked, with critical data stolen and sold onto the dark web.

Disney+ users began posting messages on Twitter and Reddit stating that their accounts had been compromised. Some users complained of being locked out of pre-paid accounts after receiving alerts that account information, including their password and contact details, had been changed.

Commenting on the news are the following cybersecurity experts:

Experts Comments

November 19, 2019
Niels Schweisshelm
Technical Program Manager
HackerOne
It’s no surprise that cybercriminals jump on the same bandwagon as everyone else when there’s a big new consumer launch. The scale of fresh accounts means it’s very much worth their while to invest in attempting to compromise them – cybercriminals can rely on consumers’ security apathy to give them an easy win. This research should act as a reminder to all consumers about the importance of securing online accounts with strong, complex passwords. The trouble is, Passwords are the worst .....Read More
It’s no surprise that cybercriminals jump on the same bandwagon as everyone else when there’s a big new consumer launch. The scale of fresh accounts means it’s very much worth their while to invest in attempting to compromise them – cybercriminals can rely on consumers’ security apathy to give them an easy win. This research should act as a reminder to all consumers about the importance of securing online accounts with strong, complex passwords. The trouble is, Passwords are the worst option for secure authentication, but we don’t yet have anything better. For the foreseeable future, people will have to continue making passwords work for them, whether that is using personal algorithms to keep track of them or using password managers. Organizations can do their part by implementing and pushing or even mandating two-factor authentication so that even if passwords are breached, the damage is contained. However, I don’t think we’ll see easy, small-scale theft like that of streaming service accounts brought under control anytime soon.  Read Less
November 19, 2019
Jonathan Knudsen
Senior Security Strategist
Synopsys
An online streaming service is a whole new world for Disney, and as they ask customers to "be our guest" and "put our service to the test," two-factor authentication would be a welcome addition. Any customer who wishes to guard against account takeovers can adopt the worry-free philosophy of not reusing passwords from other accounts. A spoonful of cybersecurity, in the form of a password manager, could help the number of compromised accounts go down.
November 19, 2019
Jonathan Deveaux
Head of Enterprise Data Protection
comforte AG
The details are unclear regarding the reports of hacked Disney+ accounts. At this time, there are no indications that point to a hack or data breach within the Disney cybersecurity program. What could be happening is a mass effort by bad-actors to use previously stolen user IDs and passwords. A quick search on https://haveibeenpwned.com/ reveals websites previously subjected to security events or databases exposed during hacking incidents. There are hundreds of incidents which contain.....Read More
The details are unclear regarding the reports of hacked Disney+ accounts. At this time, there are no indications that point to a hack or data breach within the Disney cybersecurity program. What could be happening is a mass effort by bad-actors to use previously stolen user IDs and passwords. A quick search on https://haveibeenpwned.com/ reveals websites previously subjected to security events or databases exposed during hacking incidents. There are hundreds of incidents which contain millions of leaked user IDs and passwords. What is missing from the Disney+ security service is multi-factor-authentication (MFA, also 2FA). MFA is a method in which access is granted only after two or more pieces of evidence a provided when signing onto a service. The password is one of the pieces; depending on how MFA is deployed within a service, a second piece could a code sent to the user's mobile phone, which is then entered at the time of login. MFA does not guarantee that only the authorized user is indeed accessing the service, but it does help slow down or reduce the likelihood of bad-actors gaining access with only user ID and password credentials. If this is the case with the reports of hacked Disney+ accounts, then Disney did not do anything wrong per se, but they could elect to look at increasing their security posture by upgrading their authentication program. Of course, there’s still the situation of user IDs – in use with other websites – which are the same user IDs at Disney+. This is a similar concern any company faces when offering a service online. In general, companies still need to protect user IDs and passwords from getting hacked through their website or from database security loopholes. One very effective way is to use data tokenization, which replaces user IDs and passwords with scrambled text, which has no usable value in hacking incidents. Strong encryption is also effective in reducing the likelihood of data exposure during a breach.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.