Disney Plus Data Account Breach Thumbnail

Thousands of Disney Plus Accounts Hacked After Launch

Disney’s new streaming service was hacked a week after launching and hackers are offering breached accounts for sale online for $1 a month or $3 a year.

The service garnered over 10 million subscribers on their first day and within hours hackers took control of user accounts.

Disney+ users said on social media hackers were logging in to their accounts, logging them out and changing the email and password of their accounts.  If this is true, then some users could be in huge trouble. 59 percent of people use the same password everywhere, according to a poll conducted by Lastpass. Therefore, there’s a big chance Disney+ subscribers use the same email and password for multiple accounts.

Other streaming services such as Netflix, Hulu and HBO Now have been targeted by hackers too. Users report finding unfamiliar names and profiles in their accounts.  And if you’re a hacker looking to make a quick dollar, it this isn’t too hard to do.

How Did This Happen?

It’s estimated that millions of online accounts are scouted and tested using a method called credential stuffing. Hackers test a database of stolen information such as passwords and usernames against various accounts in order to find a match.

Hackers have programs that run these tests in seconds. And since we know over half of people use the same username and passwords across multiple accounts, there’s a huge probability they’ll find a match.

Another scam cybercriminals use to get your email, in the instance of Disney+, would be to send a fake email to a subscriber warning them their accounts were locked. The fraud email asks the user to provide their account information for “verification”. After a hacker gains this information, they log in to the account, change the password and block the subscriber from accessing his or her account. This is a form of phishing and it happens every day.

Disney Plus Data Account Breach Statistics

It’s a Bad Week for Disney+

The curious thing about Disney+ is that users who had unique passwords also got their accounts hacked according to a ZDNet report. Secondly, the new streaming service was still in the seven-day free trial period, even for people who signed up for it immediately after it went live. In other words, there wouldn’t be any profit for hackers since people were still using it for free. Moreover, if you’re a Verizon customer you get Disney+ free for a year.

The new streaming platform has had a rough first week since it went live on Nov. 12, with slow screen loads to messages on their homepage displaying ‘unable to connect’. The company said it was working hard to fix the problem and they were mainly due to a demand for the service that was higher than expected.

Subscribers of streaming services should ignore and avoid emails relating to their accounts and never provide account information through email. Also avoid using the same password for everything. It’s honestly an invitation to get hacked. If even one of your accounts is compromised that risks all your accounts.

Why Does it Happen?

And this isn’t something common just among streaming service users, it’s common for everyone. Even people who work in industries and companies with extremely valuable data fail to take precaution. It’s been reported repeatedly that human error is the leading cause of cybercrime. To be more specific, human error is the main cause of 95 percent of cyber security breaches according to an IBM study.

Human error encompasses a large variety of actions, not just password related errors. It can be downloading malware after opening a phishing email or working on an insecure network. Victims of ransomware attacks aren’t foolish, just careless.

The Disney breach might not seem related to company breaches until you consider Disney+ users are accountants, lawyers, financial advisers, and business owners. If over half of people use the same password for everything, what’s stopping them from using their Disney+ password to access their account information or login to their database?

For a cybercriminal, this is their best-case scenario. They access a user’s information, discover he works at a medium size accounting firm, and proceed to use the password they got from accessing their streaming service to access their firm. There are even cases where people use their work email as their login email for other accounts.

It Takes More than Good IT

There is only so much IT for accounting firms can do in this case. Companies must do more than rely on their IT infrastructure to keep them safe. Situations like these create huge compliance risks for those who work in the financial services industry. For those who work in or own their own business, it creates liabilities that could potentially ruin the company.

Hackers always look for the path of least resistance. They choose a small or medium sized business because it won’t attract too much attention. They send hyper-targeted phishing emails because people are likely to fall for them. Cybercriminals even buy malware programs on the dark web so they don’t have to develop it themselves. The trick is to do everything possible to make their jobs as difficult as possible by implementing smart, best-practice procedures. At the end of the day it’s about eliminating liabilities.

Disney+ users should be mindful of what email they use to login and what password they choose. It might affect more than their weekend.

Click here to read our blog about how  businesses can protect themselves from cyberattacks.