Originally Published on December 3, 2019
On launch day for Disney Plus, the dark web lit up with the new Disney accounts for sale. From $3.00 – $11.00, hacked logins were offered (above the price directly from Disney, by the way) for sale in exchange for Bitcoin and Monero! The rollout itself was extremely bumpy without the leaks, but the Disney Plus launch was plagued by reports from media elites and the growing “Fandom Menace” unable to stay logged into their accounts. Disney customer support lines were jammed with reports of very strange activity on the platform.
People began reporting that their logins were being changed, and even after account recoveries had taken place, that credentials became compromised again. Some users in the information security community even confirmed that accounts remained logged in even after their account's credentials had been changed.
So, what happened?
“We have found no evidence of a security breach,” a Disney rep said in a statement to Variety. “We continuously audit our security systems and when we find an attempted suspicious login we proactively lock the associated user account and direct the user to select a new password.”
Well, the data obviously leaked somehow! Most likely, Disney handled their own cybersecurity in a professional manner given their experience in keeping important information (like the Rise of Skywalker Script) secure, so the user data leak will probably be found out as the product of bad user practices.
Most notably, these sorts of things happen when users re-use passwords across multiple platforms. The LinkedIn hack, for example, exposed 117 million usernames and passwords that were sold on the dark web, but many users still have no idea. If these hacked users have not taken the steps necessary to secure themselves, their Disney Plus accounts may have been being hacked five years before Disney even had the idea to make a streaming service in the first place. To add to the frustration, Disney uses SSO (Single Sign On) across all their platforms for customer convenience. So, if you were a victim of the Disney+ credential leak. you might want to double check your Fast Pass reservations on your upcoming Disney trip.
This sort of attack is called “credential stuffing” which is low-hanging fruit for common malicious actors to exploit. This is the most likely culprit in the Disney Plus “hack,” since it is one of the easiest attacks to perform. But it’s also very simple to protect against because the way to make sure these sorts of exploits never get you in trouble is NEVER EVER RE-USE PASSWORDS. Instead, utilize tools like 1Password or LastPass and mitigate this threat almost entirely.
We hope that this incident inspires Disney to implement MFA (Multi Factor Authentication) across all their services to help their users better secure their accounts; something their main competitor, Netflix, has yet to do. To the poor Disney fans that had their accounts stolen, sold and used, here's an important quote from Walt Disney himself: “You may not realize it when it happens, but a kick in the teeth may be the best thing in the world for you.”
Now, go update your passwords!
Extra Credit: Check if you’re credentials have shown up in any recent data leaks: https://haveibeenpwned.com/