Disney+ not the happiest place on Earth, accounts stolen found on sale

The huge marketing campaign behind the launch of Disney’s new streaming service and the massive response it elicited from consumers was too much of a temptation for cybercriminals as they flocked to decipher and then resell the user accounts.

An investigation by ZD Net found the brand-new user Disney+ accounts being hawked for between $3 and $11 and sometimes being given away for free. The service went live on November 12 and almost immediately amassed 10 million customers from the U.S., Canada and The Netherlands.

Security experts contacted by SC Media believe both the members and Disney both share the blame for the this situation.

The stolen credentials were not obtained by hacking Disney+, but were likely gleaned from previous hacks, like Yahoo, and the people who signed up for Disney+ simply repurposed these old, compromised credentials.

“At this time, there are no indications that point to a hack or data breach within the Disney cybersecurity program. What could be happening is a mass effort by bad actors to use previously stolen user IDs and passwords,” said Jonathan Deveaux, head of enterprise data protection at comforte AG.

Niels Schweisshelm, technical program manager at HackerOne, said using passwords as a protective measure is a mistake, but until they are phased out and replaced with something more reliable people must take the proper steps.

“This research should act as a reminder to all consumers about the importance of securing online accounts with strong, complex passwords. For the foreseeable future, people will have to continue making passwords work for them, whether that is using personal algorithms to keep track of them or using password managers,” he said.

Disney’s failure, noted Schweisshelm and Deveaux, was not implementing multifactor authentication for its new service.

“Organizations can do their part by implementing and pushing or even mandating two-factor authentication so that even if passwords are breached, the damage is contained,” Schweisshelm said.

There is a downside to 2FA, Lamar Bailey, senior director of security research at Tripwire said, particularly with services like Disney+.

“But with streaming apps this can be a pain. For example, if you have kids that want to watch a show and you need to approve the sign-in on a second device,” Bailey said.

Deveaux had a couple of additional recommendations, use data tokenization to scramble the username and password, and strong encryption to protect the information if there is a breach and it is compromised.