It’s safe to say that visionary Walt Disney did not see this one coming. In just their first hour online, over 10 million fans signed up for Disney+ streaming service, but many got much more than they planned on. Just hours after the multinational entertainment company launched its Disney+ service, happy customers began noticing something wasn’t quite right with their new accounts. Not only were customers reporting technical problems with the site, but many began posting on social media that their Disney+ accounts were hacked. Almost immediately after the launch, account information was advertised for sale on hacking forums for just $3-$11, with some being posted free for the taking. The much-awaited Disney+ rollout was officially deemed a disaster.
Users reported being mysteriously signed out of their accounts, as well as having passwords and email addresses changed. Locked out of their accounts, many customers took to sites like Twitter and Reddit to report the issues. Frustrated account holders who called Disney+ customer service to report the incident found themselves on hold for hours. Some hacked customers revealed the password for their Disney+ account was not unique and was also used for other accounts–something we all know by now is very risky. This left open the possibility that bad actors got lucky by “credential stuffing” passwords from other hacks until they found a match on Disney+ accounts. Considering the massive amounts of stolen data from other streaming sites like Netflix, Hulu, and Amazon Prime are easily obtained, reused passwords could be the keys to the kingdom.
Be on the lookout for phishing scams taking advantage of the chaos. There are a few circulating that look convincing. Below are a couple examples. To be sure you are always logging into your account, use your app or login directly from a browser. It is never a good idea to click on a link from an unexpected email.
About the claims of hacked accounts, Disney says “We have found no evidence of a security breach.” However, they do suggest any issues with Disney+ be reported to the company immediately. Security experts note Disney does not use two-factor authentication for customer accounts, a crucial step in verifying the account is in the right hands. For now, the obvious answer is not to reuse passwords and make them unique and strong. Passwords should always be at least eight characters and include a combination of upper and lowercase letters, a number or more, and a special character or more. Don’t use common words, names, or personal information in passwords. That’s just inviting trouble.
With the massive amount of data breaches happening today, it’s likely a person’s data has already been compromised, including passwords. Knowing that hackers are actively credential stuffing pilfered accounts, both Disney+ and their account holders need to step-up their online security.