Disney+, the major studio's rival video streaming service to Apple TV+, has hit upon a second launch snag, with a number of users claiming their accounts have been hacked, but the small number of people affected suggests the issue lies in poor password management than in Disney's security.
Disney launched Disney+ on November 12 and quickly became a victim of its own success, with issues caused by the sheer number of users trying to access the service immediately after its launch. While the service has recovered from the mass influx of users, with it having attained over 10 million customers in its opening 24 hours, another problem relating to security has surfaced.
A number of users spotted by ZDNet complained they were unable to access their account, or found someone without authorization had accessed their account. In the worst cases, users found their devices had been logged out and the account email and password changed, effectively locking them out completely.
Account credentials for Disney+ then started to appear on hacking forums, selling for between $3 and $11 each, as well as being sold on the dark web. The accounts are oddly high in terms of value, as a normal Disney+ subscription is $6.99 per month, though some users have prepaid for access for longer periods than a month, increasing their potential price.
While there has yet to be a confirmation from Disney about the issue, it seems the problem could simply be from poor password management techniques from users. A search by the BBC on Monday revealed more than 4,000 customer accounts were being sold on one site, a tiny number compared with the many hundreds of thousands that would usually be taken as part of a major site breach.
It is plausible the small number of affected accounts could be caused through hackers taking advantage of earlier breaches to acquire lists of email addresses, usernames, and passwords, and simply attempting to log into each set of credentials until one works. As many users continue to reuse the same combinations at multiple venues, the probability of finding functional accounts in this manner is pretty good considering the amount of source material available.
AppleInsider and security experts recommend the use of unique passwords for each account, as a breached set of credentials from one site cannot be used to access another, minimizing the chance of such hacking attempts from working at all. An efficient way of doing this is by using a password management tool, with some offering the ability to create and automatically filling in unique passwords on behalf of the user.
20 Comments
Yeah, a non-story story.
Disney wasn't hacked.
10 million subscribers in 24 hours (a number Apple wishes they had). Account problems are to be expected. It's the human condition.
the article is subtly recommending to use complex apple key chain generated passwords.
on the surface they seem secure because they need a password, or biometric and a related hardware device to access; but even without that they all follow a pattern, so i do not use them for anything important.
the speedy turn around suggests people reused passwords and email addresses from a previously hacked service; yet the number is small compared to the user base - perhaps these people have compromised computers with key loggers installed.
Whilst Disney's programmers are at it they also need to fix the app for Apple TV. The way Apple TV works with the Apple TV Remote to change audio input (e.g. switch between HomePods or other Audio system) is to swipe down. In all apps such as Netflix this is honored. In the Disney app this has been purloined for a different use. That's poor beta testing on their part to miss that.
I run into some websites and apps, including from huge corporations, on which I've attempted to use Apple's "strong password," only to realize they're being old-timey and requiring a password 8-11 characters with one capital letter and one number or some such. I generally just close the browser/delete the app at that point.