In what appears to be a massive data breach, thousands of Disney+ accounts were found listed for sale on the dark web. Shortly after launch, thousands of Disney+ users were locked out of their accounts for suspicious behaviour.
Although it is unclear at the moment if this was a coordinated attack on existing Disney+ accounts, chances are previously compromised, leaked credentials available on online hacking forums may have led to this problem. Disney+ itself was not compromised, but people who chose a weak password were the weak link, cybersecurity firm Bitdefender explains.
In most cases, hackers use existing leaked credentials that are readily available on the internet. Since most users fail to reset their passwords even after their account credentials were compromised, hackers can simply try same, existing credentials to access other services.
Disney+ went live last week across the US and Canada, featuring thousands of movies and TV episodes from Disney, Pixar, Marvel, Lucasfilm and National Geographic. Disney said 10 million subscribers signed up for Disney+ within a day of launching its new video streaming service.
In an email statement to Republic World, Monique Becenti, channel and product specialist at a cybersecurity firm SiteLock, had this to say:
"User accounts and login information is appealing to hackers because it is a gateway to valuable customer data that could provide access to a wide range of other user accounts associated with your login details, such as banking information or credit card data. In the case of Disney+, some users’ credentials were changed, which resulted in users being locked out of their accounts."
"In this case, some hacked accounts are listed for more than the cost of a legitimate account. For bad actors, a hacked account is valuable as more than a way to access streaming content for cheaper than market price. It opens the door to other valuable information, like passwords, that can be used in things like credential stuffing attacks," Becenti added.
Security researchers recommend two-factor authentication to safeguard their online accounts.
"People who are interested in signing up for streaming services such as Disney+ should ensure that two-factor authentication is offered to better protect their login credentials and personal data," Becenti said.
The price tag associated with accounts being sold on the dark web can vary due to a variety of factors, such as the type of personal data cybercriminals can access, but generally, they can be sold for upwards of hundreds of dollars," she added.