Disney Plus blames previous hacks as user accounts sold online
The company reiterated that it found no evidence of a security breach and that account problems are limited to ‘a very small percentage of users’.
Disney has said Disney Plus account passwords being sold in underground hacking forums are coming from previous breaches at other companies, predating last week’s launch of its streaming service.
The company reiterated that it found no evidence of a security breach and that account problems are limited to “a very small percentage of users”.
Disney and other traditional media companies are trying to capture the subscription revenue now going to Netflix and other streaming giants. Helped by promotions, including a free year for some Verizon customers, Disney Plus attracted 10 million subscribers on its first day.
News site ZDNet found stolen account usernames and passwords selling for 3 dollars on underground hacking forums. Disney’s streaming service costs 7 dollars a month or 70 dollars a year.
Users can easily avoid this by using strong passwords that are unique for each service, said Troy Hunt, an Australian security researcher whose Have I Been Pwned? website alerts people when their identity information is stolen.
But he said Disney should implement better security measures.
“The Disney situation appears to be yet another credential stuffing attack where hackers exploit a combination of customers reusing passwords and the service provider not providing sufficient defences to stop it,” he said.
Paul Rohmeyer, a professor at the Stevens Institute of Technology in Hoboken, New Jersey, said he is surprised that streaming services have not implemented better security such as multi-factor authentication.
Under this method, users must enter a code sent as a text message or email when logging in from a new device. The code helps ensure that people using stolen passwords or guessing them cannot use a service without also having access to the legitimate user’s phone or email account.
Mr Rohmeyer said services may be hesitant to implement tougher security because they do not want to be seen as more inconvenient than competitors.
Multi-factor authentication is an option for many non-streaming services, including Google, Facebook and Apple, but the extra security must be turned on.
Disney Plus does require codes sent by email when changing account passwords, but does not use them for logging in from new devices.
Multi-factor authentication is harder to implement for services that are shared in households, as multiple users would need access to the same phone or email account.
While Disney Plus, Netflix and Hulu let family members create their own profiles, with separate watch lists and preferences, they all share the same username and password. Apple TV Plus gets around this by having each family member sign in with a separate Apple ID.