Disney’s (DIS) new streaming service quickly became a hit with consumers after launching — but within a week has already fallen prey to the internet’s dark side.
Almost immediately after Disney+ hit mobile devices and TV screens on Nov. 12, users complained of errors logging into their account. And within days, thousands of accounts were exposed, with user data put up for sale one “dark web” forums.
For its part, the entertainment giant denied the incident fit the definition of a hack. In a statement shared with Yahoo Finance, a Disney spokesperson said that it found “no evidence of a security breach. Billions of usernames and passwords leaked from previous breaches at other companies, pre-dating the launch of Disney+, are being sold on the web.”
It added that Disney “continuously” audits its systems, proactively locks user accounts if any suspicious activity is discovered, and prompts them to create a new password. Disney’s stance was in line with an analysis by TrustedSec’s cybersecurity experts, who said the act is more like account hijacking rather than account hacking.
Nevertheless, “the issue there is that people tend to use the same password on multiple sites,” said Alex Hamerstone, TrustedSec’s GRC practice lead on YFi PM.
And it also means Disney isn’t entirely off the hook, Hamerstone argued — saying the company hasn’t done enough to mitigate the risk.
“So much of our lives are now online, there is so much data — they call data the new oil,” he said. “Really protecting this data is really valuable, it’s more and more important.”
Hamerstone said Disney should have at least offered a two-factor authentication, so that users have the choice to secure their accounts if they want to go through the extra step. Not to mention, there are other ways companies can go above and beyond.
“There are certain [companies] out there who will go out and look at these databases of passwords, and see if their users are using the same passwords — and if they are, they will force them to change the password,” he said.
“In this case, it’s the users who have compromised themselves, but in general, I would love to see companies take security much more seriously,” he added.
These hacks come with ‘warranty’
Binary Defense, TrustedSec’s sister firm, went through “dark web” forums and found posts offering various number of accounts for sale. One cache included a haul of 1,247 stolen accounts posted just last week.
Curiously, sellers offer “1 year warranty” — meaning any accounts that no longer work will be replaced with an accessible one.
Hackers usually acquire troves of passwords from previous data breaches — and in the case of Disney+, users of Chegg.com seem to have been hit the most. The firm also found breaches sourced from users of MyFitnessPal, MGM Grand Hotels, and Adult Friend Finder, among others.
Experts say there are ways to protect a user password:
Use a “password manager” program to save data;
Think of a phrase, and take the first letter from each word in the phrase to make a long and seemingly random sequence of letters;
Add punctuation such as commas.
“Really protecting this data is valuable, it is more and more important,” said Hamerstone. “Down the road I do want to see more regulations around or things like that.”
Grete Suarez is producer at Yahoo Finance for YFi PM and The Ticker. Follow her on Twitter: @GreteSuarez