Thousands of Disney Plus accounts have already been hacked overseas. Now experts say one major security flaw could allow it to happen here.

Thousands of Disney Plus accounts have reportedly been hacked. (Photo by Daniel Zuchnik, Getty Images)

After a hotly anticipated launch on Tuesday, Australia is now finally able to sign up and watch Disney Plus.

But with thousands of accounts stolen by hackers in the same week of its US launch, there’s a possibility the same fate could befall Australians as hackers look to profit, security firm Sohpos has warned.

“Excitement has been building for Disney+ and while it’s in limited release, people will seek out alternative means to use the platform, even if that includes using someone else’s password,” senior security advisor John Shier told Business Insider Australia in an email.

“It also means that cybercriminals would likely take this opportunity to send out Disney+ phishing campaigns to net as many victims as possible and cash in on the hype.”

Many American subscribers have complained of being hacked online, lamenting that it took just days for accounts to be compromised.

Disney for its part has bizarrely maintained there has been no hack.

“Disney takes the privacy and security of our users’ data very seriously and there is no indication of a security breach on Disney+,” a Disney spokesperson said in an email to Business Insider.

Exactly how it’s being done is also a matter of contention.

“Our experience suggests that this is likely the result of a credential stuffing attack, a phishing campaign against Disney+ users or the result of credential-stealing malware on users’ devices,” Shier said.

“Credential stuffing is when cybercriminals use leaked credentials from one website – which could already be for sale on the dark web – and try those same credentials on other online services. This breach is a prime example of the importance of having unique passwords across all of your online services.”

Some users claim they have used unique passwords and been relatively diligent. One ran through the measures her friend had taken before losing her account.

“From what she told me, it was a unique password that wasn’t similar to any other website. Her log in was her email. She did not click on any phishing/suspicious emails. She noted that there is no 2-way verification which is an issue,” she tweeted.

Shier agrees that the lack of verification tools is a major security shortcoming.

“Unfortunately, the Disney Plus platform does not appear to offer any kind of multi-factor authentication which would thwart these kinds of attacks against online services,” he said. “All services, such as Disney Plus, should offer multi-factor authentication to ensure that passwords are protected and not the only means of defence.”

In the meantime, he said there were some major things Australians could do to safeguard themselves.

“Don’t reuse passwords, as old breaches can come back to haunt you when cybercriminals use passwords from past breaches [and] provide as little personally identifiable information online as possible,” he said.

Be safe out there, gang.

Has your Disney Plus account been hacked? Drop our reporter a line at [email protected]

Business Insider Emails & Alerts

Site highlights each day to your inbox.

Follow Business Insider Australia on Facebook, Twitter, LinkedIn, and Instagram.