Disney Plus customers have had their accounts compromised within days of the Australian launch, following similar attacks in the US

Disney

The arrival of Disney Plus last week was one of the most anticipated launches of the year.

Ten million Americans signed up with the streaming service within the first 24 hours last week. The Australian launch followed just a week later to comparable fanfare, but also shared a sinister similarity — user accounts have been compromised and sold off on online password sharing sites within days.

Thousands of US accounts have been found on online websites, selling for a fraction of an annual subscription fee. After warning Australian users were at risk ahead of its launch, Business Insider Australia can reveal the same online attacks are happening here.

“I got my account 1 hour before the official launch at around 8am on the 19th of November [and] despite having lots of issues at launch with congestion, I was able to enjoy streaming that night,” Daniel Lee, 38, told Business Insider Australia on Friday.

“On the 22nd November, I received an email saying my account details had changed.”

A surprised Lee received the following notification from the streaming service.

It wasn’t until Lee logged out of his account however that he began experiencing problems.

“I was no longer able to log back in using the email and password. I was perplexed so I went on to the web site to ‘manage my account’ which was still logged in on my Safari browser.”

That’s when Lee discovered his account was now linked to someone else’s email address.

“I couldn’t change it back as the password was no longer the one I had set.”

Lee no longer had access to his own account nor could he use the streaming service. His payment details, however, remained active, meaning had he not caught it, he would have unwittingly been paying for a stranger to stream.

While Disney has denied there is a problem with the security of its platform, John Shier, senior security advisor at security firm Sophos has told Business Insider Australia the service is vulnerable to phishing attacks and lacks the multi-factor verification that would help secure it. Shier says such attacks usually involve having access to a user’s old passwords.

“I had used a password I used for some other accounts way back, so it’s possible someone had just attempted to reuse some stolen credentials of mine and happened to be the same password,” Lee admits.

In a statement to Business Insider Australia, Disney said there is no evidence there has been any breach of data at Disney Plus. “We have found no evidence of a security breach,” a spokesperson said.

“Billions of usernames and passwords leaked from previous breaches at other companies, pre-dating the launch of Disney+, are being sold on the web. We continuously audit our security systems and when we find an attempted suspicious login we proactively lock the associated user account and direct the user to select a new password.”

“We have seen a very small percentage of users in this situation and encourage any users who are having these kinds of issues to reach out to our customer support so we can help them.”

When Lee called Disney’s support team, he was surprised to hear it was another Australian who had taken over his account and said the company had been helpful in recovering his account.

“To rectify the matter and ensure no downtime for me, they asked me for an alternate email address,” he said. “I re-signed up for 7 day trial on that email and they bumped it to 30 days free so I guess I got something out of it.”

In the meantime, Lee said he’s cancelled his existing trial so he won’t be out of pocket. Disney told him it would monitor the account in the meantime as part of its internal investigation.

Although happy with Disney’s response, Lee does believe there is more Disney could do to safeguard its users.

“I was frustrated at having been so easily hacked within days of starting up the service [and] thought, ‘why is it so easy?'” Lee said.

“I think Disney needs to have some sort of two-factor authentication when someone wishes to change major account details. I think mobile phone SMS verification at the very least [would help].”

Has your Disney Plus account also been compromised? Contact [email protected].

Business Insider Emails & Alerts

Site highlights each day to your inbox.

Follow Business Insider Australia on Facebook, Twitter, LinkedIn, and Instagram.