- Australians rushed to sign up to Disney Plus after it launched here on Tuesday, but there could be a major security fault with the streaming service.
- Thousands of US accounts have already been compromised, with users’ passwords emerging for sale online.
- While Disney denies there has been major security breach, security firm Sophos has warned that a lack of multi-step verification leaves accounts vulnerable to attack.
After a hotly anticipated launch on Tuesday, Australia is now finally able to sign up and watch Disney Plus.
But with thousands of accounts stolen by hackers in the same week of its US launch, there’s a possibility the same fate could befall Australians as hackers look to profit, security firm Sohpos has warned.
“Excitement has been building for Disney+ and while it’s in limited release, people will seek out alternative means to use the platform, even if that includes using someone else’s password,” senior security advisor John Shier told Business Insider Australia in an email.
“It also means that cybercriminals would likely take this opportunity to send out Disney+ phishing campaigns to net as many victims as possible and cash in on the hype.”
Many American subscribers have complained of being hacked online, lamenting that it took just days for accounts to be compromised.
Not even been half of a week and my dad’s Disney+ account has ALREADY been hacked.
— Jesse (@CaptnJesturd) November 15, 2019
#distwitter has anyone’s @disneyplus account been hacked? My friend’s was; hackers changed email and password. Now she’s completely blocked from her 3-year prepaid Disney+ account. She’s been on hold for >2 hours
— HopeandLight (@Travel4vr) November 12, 2019
Disney for its part has bizarrely maintained there has been no hack.
“Disney takes the privacy and security of our users’ data very seriously and there is no indication of a security breach on Disney+,” a Disney spokesperson said in an email to Business Insider.
Exactly how it’s being done is also a matter of contention.
“Our experience suggests that this is likely the result of a credential stuffing attack, a phishing campaign against Disney+ users or the result of credential-stealing malware on users’ devices,” Shier said.
“Credential stuffing is when cybercriminals use leaked credentials from one website – which could already be for sale on the dark web – and try those same credentials on other online services. This breach is a prime example of the importance of having unique passwords across all of your online services.”
Some users claim they have used unique passwords and been relatively diligent. One ran through the measures her friend had taken before losing her account.
“From what she told me, it was a unique password that wasn’t similar to any other website. Her log in was her email. She did not click on any phishing/suspicious emails. She noted that there is no 2-way verification which is an issue,” she tweeted.
From what she told me, it was a unique password that wasn’t similar to any other website. Her log in was her email. She did not click on any phishing/suspicious emails. She noted that there is no 2-way verification which is an issue
— HopeandLight (@Travel4vr) November 17, 2019
Shier agrees that the lack of verification tools is a major security shortcoming.
“Unfortunately, the Disney Plus platform does not appear to offer any kind of multi-factor authentication which would thwart these kinds of attacks against online services,” he said. “All services, such as Disney Plus, should offer multi-factor authentication to ensure that passwords are protected and not the only means of defence.”
In the meantime, he said there were some major things Australians could do to safeguard themselves.
“Don’t reuse passwords, as old breaches can come back to haunt you when cybercriminals use passwords from past breaches [and] provide as little personally identifiable information online as possible,” he said.
Be safe out there, gang.
Has your Disney Plus account been hacked? Drop our reporter a line at [email protected]
Business Insider Emails & Alerts
Site highlights each day to your inbox.