Disney Plus, owned by the Walt Disney Direct-to-Consumer and International division of The Walt Disney Company, is in the news for the wrong reasons just days after its launch. The users of the American subscription video-on-demand (SVOD) streaming service, which was launched in the United States, Canada, and the Netherlands on 12 November 2019, reported that they were facing trouble logging in, and that that they were locked out of their accounts.
A ZDNet report stated that thousands of users’ accounts were hacked using keylogging or info-stealing malware. Their email addresses and passwords were changed, “effectively taking over the account and locking the previous owner out”, and their login information was put up for sale on the dark web.
While Disney Plus has responded to the incident saying they have no evidence of a breach, this incident is likely the result of a credential stuffing attack, a phishing campaign against Disney+ users or the result of credential-stealing malware on users’ devices, says John Shier, senior security advisor, Sophos.
“Credential stuffing is when cybercriminals use leaked credentials from one website, which could already be for sale on the dark web, and try those same credentials on other online services. This breach is a prime example of the importance of having unique passwords across all of your online services. As we’ve seen time and time again, cybercriminals are just as lazy as the rest of us. If they can get away with using a person’s previously compromised passwords across different services, that will be their default,” says John Shier.
The excitement around the Disney Plus platform had begun to build from the day the service was announced, and Disney stated that the streaming service had signed up over 10 million subscribers on the first day of its launch.
“Excitement has been building for Disney+ and while it’s in limited release, people will seek out alternative means to use the platform, even if that includes using someone else’s password. It also means that cybercriminals would likely take this opportunity to send out Disney+ phishing campaigns to net as many victims as possible and cash in on the hype. Opportunistic cybercriminals deploying credential stealing malware may be identifying Disney+ accounts in their collected data and offering them for sale separately because of the buzz associated with this new platform,” adds John.
The senior security advisor from Sophos also notes that the Disney Plus platform currently does not appear to be offering any kind of multi-factor authentication, which would thwart these kinds of attacks against online services. However, here are some tips from Sophos for users to protect themselves from such attacks:
- Don’t reuse passwords, as old breaches can come back to haunt you when cybercriminals use passwords from past breaches.
- Provide as little personally identifiable information online as possible.
- All services, such as Disney+, should offer multi-factor authentication to ensure that passwords are protected and not the only means of defence.