The highly anticipated Disney+ streaming service launched last week – and was promptly targeted by hackers looking to compromise users’ accounts.
Around 4,000 customer account credentials have shown up for sale on hacking forums for around $3 each, according to reports.
An investigation by ZDNet showed that the account details available on underground forums include username, password, subscription type and expiration date.
“It’s no surprise that cybercriminals jump on the same bandwagon as everyone else when there’s a big new consumer launch,” Niels Schweisshelm, technical program manager at HackerOne, said via email. “The scale of fresh accounts means it’s very much worth their while to invest in attempting to compromise them – cybercriminals can rely on consumers’ security apathy to give them an easy win.”
Monique Becenti, channel and product specialist at cybersecurity firm SiteLock, added in an interview, “In this instance, bad actors were likely quick to go after user accounts for Disney+ because this platform was expected to attract millions of users. The sheer volume of available users combined with a relatively new platform presented an opportunity for hackers to exploit any undiscovered weak entry points.”
Customers also said that hackers have gone so far as to hijack their accounts by changing their emails and passwords. In fact, scores took to social media to complain of being locked out.
@disneyplus have made a second Disney+ account for a 7 day trial, with different email and password, same credit card for payment. It worked.
So how do I cancel my first account, that I am locked out of? Can’t log-in to cancel it. Will be charged Tues for locked subscription
— D. H. (@SparkleSV) November 17, 2019
The credential dump represents a fraction of the 10 million people in the United States, Canada and the Netherlands who have already signed up for Disney+ (which offers Marvel, Star Wars, Pixar, NatGeo and Disney content, both old and new). However, the House of Mouse is feeling a significant backlash as subscribers claim that Disney customer service has not helped them with account recovery.
Lies!!! Been trying to get help since release day and haven’t received it. Check your DM’s
— Papa Bear (@dewittsmith74) November 17, 2019
i only got help by calling, they never check the DMs….i had to stay on hold for a hour and a half, but its alot faster then waiting for a DM reply.
— Michael C (@romtownhotboy) November 17, 2019
Disney did not immediately return a request for comment from Threatpost.
Security Lessons and Failures
Details are scant on how the accounts were compromised, but researchers had some ideas — and some recommendations.
“There is some speculation about the source of the leaked user accounts. If I had to guess, I believe that either tailored malware or a spray [phishing] attack were used to hijack the user accounts,” Fausto Oliveira, principal security architect at Acceptto, told Threatpost.
SiteLock’s Becenti added, “In some cases, bad actors typically gain access to accounts when consumers reuse passwords across multiple logins, or they deploy cross-site scripting attacks that can capture keystroke logging to gain unauthorized access to account credentials.” That said, the BBC said that many of the victims told its reporters that they used unique passwords.
The streaming service does not have multifactor/two-factor authentication (MFA/2FA), which has prompted calls from security researchers for Disney+ to upgrade its authentication program.
“Disney should have implemented mandatory MFA, especially for privileged operations,” said Oliveira. “Relying on username and passwords isn’t what we would expect from a company such as Disney. I expect that Disney will take responsibility here and help their customers with assistance towards fraud prevention and theft. The hijacked accounts, even if stopped, will continue to generate issues and mistrust for an extended period of time.”
However, Jonathan Deveaux, head of enterprise data protection at comforte AG, cautioned that even with MFA in place, other steps should be taken.
“There’s still the situation of user IDs – in use with other websites – which are the same user IDs at Disney+,” he said via email. “One very effective way is to use data tokenization, which replaces user IDs and passwords with scrambled text, which has no usable value in hacking incidents. Strong encryption is also effective in reducing the likelihood of data exposure during a breach.”
Becenti agreed, adding, “New applications should go through a lengthy beta test including pentesting to help reduce or prevent future attacks like this.”
Is MFA enough to protect modern enterprises in the peak era of data breaches? How can you truly secure consumer accounts? Prevent account takeover? Find out: Catch our free, on-demand Threatpost webinar, “Trends in Fortune 1000 Breach Exposure” to hear advice from breach expert Chip Witt of SpyCloud. Click here to register.