Disney+ accounts hack highlights need for more password security

Posted:
in General Discussion edited November 2019
Disney+, the major studio's rival video streaming service to Apple TV+, has hit upon a second launch snag, with a number of users claiming their accounts have been hacked, but the small number of people affected suggests the issue lies in poor password management than in Disney's security.

The Mandalorian, on Disney+
The Mandalorian, on Disney+


Disney launched Disney+ on November 12 and quickly became a victim of its own success, with issues caused by the sheer number of users trying to access the service immediately after its launch. While the service has recovered from the mass influx of users, with it having attained over 10 million customers in its opening 24 hours, another problem relating to security has surfaced.

A number of users spotted by ZDNet complained they were unable to access their account, or found someone without authorization had accessed their account. In the worst cases, users found their devices had been logged out and the account email and password changed, effectively locking them out completely.

Account credentials for Disney+ then started to appear on hacking forums, selling for between $3 and $11 each, as well as being sold on the dark web. The accounts are oddly high in terms of value, as a normal Disney+ subscription is $6.99 per month, though some users have prepaid for access for longer periods than a month, increasing their potential price.

While there has yet to be a confirmation from Disney about the issue, it seems the problem could simply be from poor password management techniques from users. A search by the BBC on Monday revealed more than 4,000 customer accounts were being sold on one site, a tiny number compared with the many hundreds of thousands that would usually be taken as part of a major site breach.

It is plausible the small number of affected accounts could be caused through hackers taking advantage of earlier breaches to acquire lists of email addresses, usernames, and passwords, and simply attempting to log into each set of credentials until one works. As many users continue to reuse the same combinations at multiple venues, the probability of finding functional accounts in this manner is pretty good considering the amount of source material available.

AppleInsider and security experts recommend the use of unique passwords for each account, as a breached set of credentials from one site cannot be used to access another, minimizing the chance of such hacking attempts from working at all. An efficient way of doing this is by using a password management tool, with some offering the ability to create and automatically filling in unique passwords on behalf of the user.

Comments

  • Reply 1 of 20
    Yeah, a non-story story.

    Disney wasn't hacked.

    10 million subscribers in 24 hours (a number Apple wishes they had). Account problems are to be expected. It's the human condition.

    Small percentage of people use the same email and passwords for all of their accounts. If they've been compromised elsewhere, then try it with new Disney service. Account hacked. Not really rocket science.

    And I'm sure some idiots used M1ckeyM0use or Frozen2 as their passwords word too.


    llamarazorpitravnorodomlostkiwichemengin1
  • Reply 2 of 20
    the article is subtly recommending to use complex apple key chain generated passwords. 

    on the surface they seem secure because they need a password, or biometric and a related hardware device to access; but even without that they all follow a pattern, so i do not use them for anything important.

    the speedy turn around suggests people reused passwords and email addresses from a previously hacked service; yet the number is small compared to the user base - perhaps these people have compromised computers with key loggers installed.
  • Reply 3 of 20
    razorpitrazorpit Posts: 1,796member
    the article is subtly recommending to use complex apple key chain generated passwords. 

    on the surface they seem secure because they need a password, or biometric and a related hardware device to access; but even without that they all follow a pattern, so i do not use them for anything important.

    the speedy turn around suggests people reused passwords and email addresses from a previously hacked service; yet the number is small compared to the user base - perhaps these people have compromised computers with key loggers installed.
    I’m willing to bet the “patterned” password keychain generates is considerably more randomized than anything 99.999999% of the users can come up with, including you or I.
    llamaStrangeDayslolliverfastasleepcocoakenFileMakerFeller
  • Reply 4 of 20
    MacProMacPro Posts: 19,523member
    Whilst Disney's programmers are at it they also need to fix the app for Apple TV.  The way Apple TV works with the Apple TV Remote to change audio input (e.g. switch between HomePods or other Audio system) is to swipe down.  In all apps such as Netflix this is honored.  In the Disney app this has been purloined for a different use.  That's poor beta testing on their part to miss that.
    lolliverrobjnFileMakerFeller
  • Reply 5 of 20
    I run into some websites and apps, including from huge corporations, on which I've attempted to use Apple's "strong password," only to realize they're being old-timey and requiring a password 8-11 characters with one capital letter and one number or some such. I generally just close the browser/delete the app at that point.
    jwdawsollamalostkiwiStrangeDaysdysamorialolliver
  • Reply 6 of 20
    linkmanlinkman Posts: 1,029member
    I run into some websites and apps, including from huge corporations, on which I've attempted to use Apple's "strong password," only to realize they're being old-timey and requiring a password 8-11 characters with one capital letter and one number or some such. I generally just close the browser/delete the app at that point.
    An 8 character password consisting solely of A-Z, a-z, 0-9, and the "keyboardable" symbols in the 7 bit ASCII set (values 33-126 only, excludes space) produces a password that can be cracked in 2 days according to howsecureismypassword.net.  Cut out the symbols/punctuation and it's cracked in 2 hours. These times assume that you have full access to the encrypted passwords and you don't get locked out by an escalating time penalty between guesses or a complete account lockout. Password reuse will certainly reduce the benefit of a server limiting attempts when another compromised server gives up the information freely. 
    king editor the grate
  • Reply 7 of 20
    davgregdavgreg Posts: 1,000member
    Since Disney bought BamTech who developed MLB and other streaming platforms and owns Hulu you would think they would have been ready for this. As a customer of Hulu with Live TV I can tell you whoever is doing the technical side and hosting have issues.

    On Hulu, when big sports events are airing live, they often stall even on very fast and stable cable internet connections. When those shows are on ESPN they control the whole chain- they cannot point fingers at third parties. 
  • Reply 8 of 20
    maestro64maestro64 Posts: 5,039member
    linkman said:
    I run into some websites and apps, including from huge corporations, on which I've attempted to use Apple's "strong password," only to realize they're being old-timey and requiring a password 8-11 characters with one capital letter and one number or some such. I generally just close the browser/delete the app at that point.
    An 8 character password consisting solely of A-Z, a-z, 0-9, and the "keyboardable" symbols in the 7 bit ASCII set (values 33-126 only, excludes space) produces a password that can be cracked in 2 days according to howsecureismypassword.net.  Cut out the symbols/punctuation and it's cracked in 2 hours. These times assume that you have full access to the encrypted passwords and you don't get locked out by an escalating time penalty between guesses or a complete account lockout. Password reuse will certainly reduce the benefit of a server limiting attempts when another compromised server gives up the information freely. 
    Yes this is true if the service does not lock you out after 3 failed attempts. 

    A number of years ago some idiot oversea Got my bank UID but not the PW and began to hack my account and kept locking out my account which I could easily reset. However, after two failed attempts, I got emails saying my account was being lock, I called the bank they confirmed the outside attempts and verified it was not me trying to log in and failed, they simply changes my UID and this stopped the login attempts and they blocked the IP of the hacker.

    Hacking someone account is not as easily as experts want everyone to think, especially if service employee counter measures, which most service do today, some counter measure are so complicated I hate use those sites.
  • Reply 9 of 20
    jcs2305jcs2305 Posts: 1,309member
    MacPro said:
    Whilst Disney's programmers are at it they also need to fix the app for Apple TV.  The way Apple TV works with the Apple TV Remote to change audio input (e.g. switch between HomePods or other Audio system) is to swipe down.  In all apps such as Netflix this is honored.  In the Disney app this has been purloined for a different use.  That's poor beta testing on their part to miss that.
    In TVOS 13 you can hold down the TV button on the Siri remote to open control center at the bottom of the control center is the airplay symbol/button just choose what device you want from there. I use it to switch between my tv speakers and Homepod or my Beats X when watching a movie.

    I have the TV button set to take me to the home screen rather than the TV App, but I think it will work the same either way.


    lostkiwiFileMakerFeller
  • Reply 10 of 20
    badmonkbadmonk Posts: 1,139member
    You mean I can’t use “mouse” as my password?
    lostkiwi
  • Reply 11 of 20
    MacPro said:
    Whilst Disney's programmers are at it they also need to fix the app for Apple TV.  The way Apple TV works with the Apple TV Remote to change audio input (e.g. switch between HomePods or other Audio system) is to swipe down.  In all apps such as Netflix this is honored.  In the Disney app this has been purloined for a different use.  That's poor beta testing on their part to miss that.
    Likewise, YouTube's non-native, repurposed console app does the same -- the swipe-down menu is not implemented. There is the remote's TV-button-long-press, which lets you switch it there as well, but YouTube for me doesn't honor that switch either, I have to leave the app and change it on the home screen via the Play-button-long-press, every single session. So lame. Just use the freakin' native conventions.... This is another stone in the wall of "Google doesn't understand good UX".
    dysamoria
  • Reply 12 of 20
    Another feature that's reportedly missing is device management. So even if you change your password, whoever's already logged in under your account will stay logged in.
    dysamoria
  • Reply 13 of 20
    MacProMacPro Posts: 19,523member
    jcs2305 said:
    MacPro said:
    Whilst Disney's programmers are at it they also need to fix the app for Apple TV.  The way Apple TV works with the Apple TV Remote to change audio input (e.g. switch between HomePods or other Audio system) is to swipe down.  In all apps such as Netflix this is honored.  In the Disney app this has been purloined for a different use.  That's poor beta testing on their part to miss that.
    In TVOS 13 you can hold down the TV button on the Siri remote to open control center at the bottom of the control center is the airplay symbol/button just choose what device you want from there. I use it to switch between my tv speakers and Homepod or my Beats X when watching a movie.

    I have the TV button set to take me to the home screen rather than the TV App, but I think it will work the same either way.


    Cool I will investigate.  I've been having to back out of the Disney app to change audio targets and then go back in.
  • Reply 14 of 20
    dysamoriadysamoria Posts: 3,430member
    What evidence is there that this WAS user error? All I see in this article is supposition.

    As a savvy and busy online tech user, I have 182 accounts to keep track of. Keeping track of even one quarter of this amount of accounts is difficult for average people. The problem isn’t really the users. The problem is the system and what it demands of them.

    Memorizing a completely different and complex password for every one of your accounts...? Only people who keep spreadsheets / password databases, or rely entirely on browsers to supply passwords, can deal with this (and it’s still a PITA to maintain spreadsheets / databases, keep them secure, etc).

    What happens when those password tools fail you? How often do you have to reset an account password because of not having that plugin or browser feature available to you at the moment (different device, inaccessible password manager, etc)?

    Also, as pointed out correctly above by another commentator, MANY websites and tools will not even ALLOW a proper password. 8-11 characters as a limit is STILL stupidly common (government websites are a perfect and horrible example). You can’t use a secure password generator on those. That issue is NOT on the user!!
    king editor the grate
  • Reply 15 of 20
    the article is subtly recommending to use complex apple key chain generated passwords. 

    on the surface they seem secure because they need a password, or biometric and a related hardware device to access; but even without that they all follow a pattern, so i do not use them for anything important.

    the speedy turn around suggests people reused passwords and email addresses from a previously hacked service; yet the number is small compared to the user base - perhaps these people have compromised computers with key loggers installed.
    You create something more secure than three sets of six random characters separated by dashes? I just checked the last one I generated for a site in https://howsecureismypassword.net and it says:

    It would take a computer about

    43 QUINTILLION YEARS

    to crack your password

  • Reply 16 of 20

    dysamoria said:
    What evidence is there that this WAS user error? All I see in this article is supposition.

    As a savvy and busy online tech user, I have 182 accounts to keep track of. Keeping track of even one quarter of this amount of accounts is difficult for average people. The problem isn’t really the users. The problem is the system and what it demands of them.

    Memorizing a completely different and complex password for every one of your accounts...? Only people who keep spreadsheets / password databases, or rely entirely on browsers to supply passwords, can deal with this (and it’s still a PITA to maintain spreadsheets / databases, keep them secure, etc).

    What happens when those password tools fail you? How often do you have to reset an account password because of not having that plugin or browser feature available to you at the moment (different device, inaccessible password manager, etc)?

    Also, as pointed out correctly above by another commentator, MANY websites and tools will not even ALLOW a proper password. 8-11 characters as a limit is STILL stupidly common (government websites are a perfect and horrible example). You can’t use a secure password generator on those. That issue is NOT on the user!!
    The evidence is some people contacted said they had reused passwords. However, others did not so those were compromised by other means.

    Regardless... You named the correct solutions — browser password storage and/or password managers. Even if you don't use something that stores this info online (options in Lastpass or 1password make your stuff accessible online), or you don't have the browser with you that stores your passwords, you can just reset the password.

    No "savvy and busy online tech user" would try to memorize different complex passwords for all your accounts. 
  • Reply 17 of 20
    linkmanlinkman Posts: 1,029member
    the article is subtly recommending to use complex apple key chain generated passwords. 

    on the surface they seem secure because they need a password, or biometric and a related hardware device to access; but even without that they all follow a pattern, so i do not use them for anything important.

    the speedy turn around suggests people reused passwords and email addresses from a previously hacked service; yet the number is small compared to the user base - perhaps these people have compromised computers with key loggers installed.
    You create something more secure than three sets of six random characters separated by dashes? I just checked the last one I generated for a site in https://howsecureismypassword.net and it says:

    It would take a computer about

    43 QUINTILLION YEARS

    to crack your password

    Even if everyone were to use the same pattern with three sets of six random characters separated by dashes -- thus eliminating the value of the dashes -- it's 7.7 x 10^30 permutations if only letters a-Z are used. It's nearly uncrackable. I'm not sure if you are stating that the 18 character password is sufficient or not?
    fastasleep
  • Reply 18 of 20
    linkman said:
    the article is subtly recommending to use complex apple key chain generated passwords. 

    on the surface they seem secure because they need a password, or biometric and a related hardware device to access; but even without that they all follow a pattern, so i do not use them for anything important.

    the speedy turn around suggests people reused passwords and email addresses from a previously hacked service; yet the number is small compared to the user base - perhaps these people have compromised computers with key loggers installed.
    You create something more secure than three sets of six random characters separated by dashes? I just checked the last one I generated for a site in https://howsecureismypassword.net and it says:

    It would take a computer about

    43 QUINTILLION YEARS

    to crack your password

    Even if everyone were to use the same pattern with three sets of six random characters separated by dashes -- thus eliminating the value of the dashes -- it's 7.7 x 10^30 permutations if only letters a-Z are used. It's nearly uncrackable. I'm not sure if you are stating that the 18 character password is sufficient or not?
    I'm saying it IS sufficient despite what @cy_starkman said regarding there being a pattern.
    edited November 2019
  • Reply 19 of 20
    A “user error” so to say.
    Or could it be that server based solutions with exposed databases are sooo 2010?
  • Reply 20 of 20
    I tend to agree that poor password security is the problem here. What’s interesting is that Disney Plus must have a login scheme available that is scriptable, otherwise these reuse attacks wouldn’t work.

    For e-mail providers like Microsoft and Google, IMAP/POP/SMTP is the attack vector because you can easily script attempted logins through those protocols that do not support OAuth. Disney Plus must be using something that allows post commands (or something similar) to login. Big mistake, if that’s the case, for a brand new service.
    fastasleep
Sign In or Register to comment.