Disney+ accounts hack highlights need for more password security
Disney+, the major studio's rival video streaming service to Apple TV+, has hit upon a second launch snag, with a number of users claiming their accounts have been hacked, but the small number of people affected suggests the issue lies in poor password management than in Disney's security.
The Mandalorian, on Disney+
Disney launched Disney+ on November 12 and quickly became a victim of its own success, with issues caused by the sheer number of users trying to access the service immediately after its launch. While the service has recovered from the mass influx of users, with it having attained over 10 million customers in its opening 24 hours, another problem relating to security has surfaced.
A number of users spotted by ZDNet complained they were unable to access their account, or found someone without authorization had accessed their account. In the worst cases, users found their devices had been logged out and the account email and password changed, effectively locking them out completely.
Account credentials for Disney+ then started to appear on hacking forums, selling for between $3 and $11 each, as well as being sold on the dark web. The accounts are oddly high in terms of value, as a normal Disney+ subscription is $6.99 per month, though some users have prepaid for access for longer periods than a month, increasing their potential price.
While there has yet to be a confirmation from Disney about the issue, it seems the problem could simply be from poor password management techniques from users. A search by the BBC on Monday revealed more than 4,000 customer accounts were being sold on one site, a tiny number compared with the many hundreds of thousands that would usually be taken as part of a major site breach.
It is plausible the small number of affected accounts could be caused through hackers taking advantage of earlier breaches to acquire lists of email addresses, usernames, and passwords, and simply attempting to log into each set of credentials until one works. As many users continue to reuse the same combinations at multiple venues, the probability of finding functional accounts in this manner is pretty good considering the amount of source material available.
AppleInsider and security experts recommend the use of unique passwords for each account, as a breached set of credentials from one site cannot be used to access another, minimizing the chance of such hacking attempts from working at all. An efficient way of doing this is by using a password management tool, with some offering the ability to create and automatically filling in unique passwords on behalf of the user.
The Mandalorian, on Disney+
Disney launched Disney+ on November 12 and quickly became a victim of its own success, with issues caused by the sheer number of users trying to access the service immediately after its launch. While the service has recovered from the mass influx of users, with it having attained over 10 million customers in its opening 24 hours, another problem relating to security has surfaced.
A number of users spotted by ZDNet complained they were unable to access their account, or found someone without authorization had accessed their account. In the worst cases, users found their devices had been logged out and the account email and password changed, effectively locking them out completely.
Account credentials for Disney+ then started to appear on hacking forums, selling for between $3 and $11 each, as well as being sold on the dark web. The accounts are oddly high in terms of value, as a normal Disney+ subscription is $6.99 per month, though some users have prepaid for access for longer periods than a month, increasing their potential price.
While there has yet to be a confirmation from Disney about the issue, it seems the problem could simply be from poor password management techniques from users. A search by the BBC on Monday revealed more than 4,000 customer accounts were being sold on one site, a tiny number compared with the many hundreds of thousands that would usually be taken as part of a major site breach.
It is plausible the small number of affected accounts could be caused through hackers taking advantage of earlier breaches to acquire lists of email addresses, usernames, and passwords, and simply attempting to log into each set of credentials until one works. As many users continue to reuse the same combinations at multiple venues, the probability of finding functional accounts in this manner is pretty good considering the amount of source material available.
AppleInsider and security experts recommend the use of unique passwords for each account, as a breached set of credentials from one site cannot be used to access another, minimizing the chance of such hacking attempts from working at all. An efficient way of doing this is by using a password management tool, with some offering the ability to create and automatically filling in unique passwords on behalf of the user.
Comments
Disney wasn't hacked.
10 million subscribers in 24 hours (a number Apple wishes they had). Account problems are to be expected. It's the human condition.
on the surface they seem secure because they need a password, or biometric and a related hardware device to access; but even without that they all follow a pattern, so i do not use them for anything important.
the speedy turn around suggests people reused passwords and email addresses from a previously hacked service; yet the number is small compared to the user base - perhaps these people have compromised computers with key loggers installed.
On Hulu, when big sports events are airing live, they often stall even on very fast and stable cable internet connections. When those shows are on ESPN they control the whole chain- they cannot point fingers at third parties.
A number of years ago some idiot oversea Got my bank UID but not the PW and began to hack my account and kept locking out my account which I could easily reset. However, after two failed attempts, I got emails saying my account was being lock, I called the bank they confirmed the outside attempts and verified it was not me trying to log in and failed, they simply changes my UID and this stopped the login attempts and they blocked the IP of the hacker.
Hacking someone account is not as easily as experts want everyone to think, especially if service employee counter measures, which most service do today, some counter measure are so complicated I hate use those sites.
As a savvy and busy online tech user, I have 182 accounts to keep track of. Keeping track of even one quarter of this amount of accounts is difficult for average people. The problem isn’t really the users. The problem is the system and what it demands of them.
Memorizing a completely different and complex password for every one of your accounts...? Only people who keep spreadsheets / password databases, or rely entirely on browsers to supply passwords, can deal with this (and it’s still a PITA to maintain spreadsheets / databases, keep them secure, etc).
What happens when those password tools fail you? How often do you have to reset an account password because of not having that plugin or browser feature available to you at the moment (different device, inaccessible password manager, etc)?
Also, as pointed out correctly above by another commentator, MANY websites and tools will not even ALLOW a proper password. 8-11 characters as a limit is STILL stupidly common (government websites are a perfect and horrible example). You can’t use a secure password generator on those. That issue is NOT on the user!!
It would take a computer about
43 QUINTILLION YEARS
to crack your password
The evidence is some people contacted said they had reused passwords. However, others did not so those were compromised by other means.
Regardless... You named the correct solutions — browser password storage and/or password managers. Even if you don't use something that stores this info online (options in Lastpass or 1password make your stuff accessible online), or you don't have the browser with you that stores your passwords, you can just reset the password.
No "savvy and busy online tech user" would try to memorize different complex passwords for all your accounts.
Or could it be that server based solutions with exposed databases are sooo 2010?
For e-mail providers like Microsoft and Google, IMAP/POP/SMTP is the attack vector because you can easily script attempted logins through those protocols that do not support OAuth. Disney Plus must be using something that allows post commands (or something similar) to login. Big mistake, if that’s the case, for a brand new service.