Subscribers of the newly launched streaming service from the house of mouse say their accounts have been hacked
Disney’s recently launched streaming service, Disney+, is at the centre of reports that it has been hacked.
Within 24 hours of its launch last week, thousands of users began complaining that their accounts had been hacked, and some media outlets reportedly found accounts being offered for sale on hacking forums.
But in a twist that is sure to add to the confusion, Disney is claiming its streaming service, which acquired 10 million customers within days of its launch, hasn’t actually been hacked.
Disney+ launched last week in the United States, Canada and the Netherlands (but not the UK).
The launch was reportedly plagued with technical issues and customer service complaints soon started. But now it seems that as though Disney+ could be facing a security issue as well.
According to an investigation by ZDnet, thousands of user accounts went on sale on the dark web.
Only hours after the service launched, hackers were reportedly selling Disney+ accounts for as little as $3 (£2.30) to as high as $11. A monthly subscription to Disney+ costs $7 (£5.40) a month.
And users have taken to Twitter and Reddit, complaining their accounts had been compromised. Some users complained of being locked out of pre-paid accounts after receiving alerts that account information, including their password and contact details, had been changed.
This effectively locked out the account holders from their own accounts.
But Disney has said it takes the privacy and security of users’ data very seriously, “and there is no indication of a security breach on Disney+”, USAtoday quoted the house of mouse as saying.
There is concern that the hacks could be exploiting user’s reuse of existing passwords for other services that have already been compromised.
But matters are not being helped by the news that Disney+ is not using multi-factor authentication.
The news of the possible hack has prompted a number of responses from the security industry as a whole.
“The details are unclear regarding the reports of hacked Disney+ accounts,” said Jonathan Deveaux, head of enterprise data protection at comforte AG. “At this time, there are no indications that point to a hack or data breach within the Disney cybersecurity program.”
“What could be happening is a mass effort by bad-actors to use previously stolen user IDs and passwords,” Deveaux warned. “What is missing from the Disney+ security service is multi-factor-authentication (MFA, also 2FA). MFA does not guarantee that only the authorised user is indeed accessing the service, but it does help slow down or reduce the likelihood of bad-actors gaining access with only user ID and password credentials.”
Another expert also noted the confusion about whether Disney+ has been hacked or not.
“It’s unknown how Disney+ accounts have been breached, but this is not something new or unique to Disney+,” said Javvad Malik, security awareness advocate at KnowBe4. “Many online streaming services have user accounts compromised.”
“From a user perspective, it’s important to not reuse passwords across different services, and to be wary of notification emails which come through, particularly ones with links,” said Malik. “Providers need to look at ways through which accounts can be better-secured, such as including multi factor authentication, or by implementing stronger monitoring controls that can detect anomalies and stop potentially malicious activity.”
Another expert pointed out that using MFA, especially for streaming services commonly used by children, can be an issue.
“There has been no information about a security or configuration issue that would allow hackers to gather passwords,” said Lamar Bailey, senior director of security research at Tripwire. “We often hear about two-factor authentication being a solution, but with streaming apps this can be a pain. For example, if you have kids that want to watch a show and you need to approve the sign in on a second device.”
“Disney+ customers get email alerts when the email or password has changed, and if you select ‘forgot password’ you are emailed a code, so a change in password or email should not be a surprise,” said Bailey.
Another expert said that MFA would however be a welcome development, as well as the use of a password manager.
“An online streaming service is a whole new world for Disney, and as they ask customers to ‘be our guest’ and ‘put our service to the test,’ two-factor authentication would be a welcome addition,” said Jonathan Knudsen, senior security strategist at Synopsys.
“Any customer who wishes to guard against account takeovers can adopt the worry-free philosophy of not reusing passwords from other accounts,” said Knudsen. “A spoonful of cybersecurity, in the form of a password manager, could help the number of compromised accounts go down.”
Another expert pointed to the use of torrents as the Disney+ service experienced technical difficulties when it launched last week.
“Bogus streaming links offering the latest shows but actually giving nothing but fake surveys and malware downloads spike whenever a new show launches, but an entire channel was always going to increase the target area,” said Chris Boyd, lead malware analyst at Malwarebytes.
“Staggering rollout will only make the problem worse, and the various technical hitches suffered during the Disney+ rollout has meant strong interest in torrents even in areas the service is available,” said Boyd. “Shows like Doctor Who and The Walking Dead suffer from this every season, and now it’s something Disney needs to consider too. They’ll never be able to take down every torrent, every real or fake stream, or every website promising episodes in return for filling in some surveys, so they should consider keeping their users safe via dedicated security pages which explain the privacy risks of untrusted websites and files.”
Do you know all about security? Try our quiz!