In what would be nothing short of an embarrassment for Disney, a fresh investigation from ZDNet reveals that thousands of user accounts for the media giant’s just launched Disney+ streaming service, were hacked and sold in hacker forums for as little as $3.
Hacking forums have been flooded with Disney+ accounts, with ads offering access to thousands of account credentials. Prices vary from $3 per account to as much as $11 — which, by the way, is more than what a legitimate Disney+ account costs from Disney, which is $7.
Amid the slew of complaints that users have publicly posted for Disney+, there are several which report of accounts being hacked. Here’s a look at a few of them:
#distwitter has anyone’s @disneyplus account been hacked? My friend’s was; hackers changed email and password. Now she’s completely blocked from her 3-year prepaid Disney+ account. She’s been on hold for >2 hours
— cat+dog=happyhome (@Travel4vr) November 12, 2019
While Disney+ has responded by saying they have no evidence of a breach, reports and expert commentary on the same suggests otherwise.
While talking to The Tech Portal, John Shier, senior security advisor at cybersecurity firm Sophos says, “Disney+ has responded by saying they have no evidence of a breach. Our experience suggests that this is likely the result of a credential stuffing attack, a phishing campaign against Disney+ users or the result of credential stealing malware on users’ devices.”
He further explains, that Credential stuffing is when cybercriminals use leaked credentials from one website – which could already be for sale on the dark web – and try those same credentials on other online services. As an advisory, Shier mentions that breaches like this further highlight the importance of having unique passwords across all of your online services.
Disney+ roll out hasn’t exactly been the way Disney would have wanted it to be. The launch itself was marred by technical glitches galore, with most users reporting their inability to stream on the platform. That was also because Disney wasn’t technically prepared, to handle such massive surge of user traffic.
In a response for comment, a Disney spokesperson told CNBC, that it “takes the privacy and security of our users’ data very seriously and there is no indication of a security breach on Disney+”.