Disney+ accounts hack highlights need for more password security

The Mandalorian, on Disney+

Disney+, the major studio's rival video streaming service to Apple TV+, has hit upon a second launch snag, with a number of users claiming their accounts have been hacked, but the small number of people affected suggests the issue lies in poor password management than in Disney's security.

Disney launched Disney+ on November 12 and quickly became a victim of its own success, with issues caused by the sheer number of users trying to access the service immediately after its launch. While the service has recovered from the mass influx of users, with it having attained over 10 million customers in its opening 24 hours, another problem relating to security has surfaced.

A number of users spotted by ZDNet complained they were unable to access their account, or found someone without authorization had accessed their account. In the worst cases, users found their devices had been logged out and the account email and password changed, effectively locking them out completely.

Account credentials for Disney+ then started to appear on hacking forums, selling for between $3 and $11 each, as well as being sold on the dark web. The accounts are oddly high in terms of value, as a normal Disney+ subscription is $6.99 per month, though some users have prepaid for access for longer periods than a month, increasing their potential price.

While there has yet to be a confirmation from Disney about the issue, it seems the problem could simply be from poor password management techniques from users. A search by the BBC on Monday revealed more than 4,000 customer accounts were being sold on one site, a tiny number compared with the many hundreds of thousands that would usually be taken as part of a major site breach.

It is plausible the small number of affected accounts could be caused through hackers taking advantage of earlier breaches to acquire lists of email addresses, usernames, and passwords, and simply attempting to log into each set of credentials until one works. As many users continue to reuse the same combinations at multiple venues, the probability of finding functional accounts in this manner is pretty good considering the amount of source material available.

AppleInsider and security experts recommend the use of unique passwords for each account, as a breached set of credentials from one site cannot be used to access another, minimizing the chance of such hacking attempts from working at all. An efficient way of doing this is by using a password management tool, with some offering the ability to create and automatically filling in unique passwords on behalf of the user.