[BreachExchange] Disney+ blames past hacks on user accounts being sold online just a week after racking up 10m subscribers in a day during streaming service launch

Fri Nov 22 10:35:37 EST 2019

https://www.dailymail.co.uk/news/article-7707911/Disney-Plus-blames-past-hacks-user-accounts-sold-online.html

Disney said Disney+ account passwords being sold in underground
hacking forums are coming from previous breaches at other companies,
predating last week's launch of its streaming service.

The company reiterated Wednesday that it found no evidence of a
security breach and that account problems are limited to 'a very small
percentage of users' of Disney+.

Disney and other traditional media companies are trying to capture the
subscription revenue now going to Netflix and other streaming giants.

Helped by promotions, including a free year for some Verizon
customers, Disney+ attracted 10 million subscribers on its first day.

The news site ZDNet found stolen account usernames and passwords
selling for $3 on underground hacking forums. Disney's streaming
service costs $7 a month or $70 a year.

Despite warnings by security experts, users often reuse passwords at
multiple services, meaning a breach at one opens the door for a hacker
to gain access to the others.

Users can easily avoid this by using strong passwords that are unique
for each service, said Troy Hunt, an Australian security researcher
whose 'Have I Been Pwned?' website alerts people when their identity
information is stolen.

But Hunt said Disney should implement better security measures.

'The Disney situation appears to be yet another credential stuffing
attack where hackers exploit a combination of customers reusing
passwords and the service provider not providing sufficient defenses
to stop it,' Hunt said in an email.

Paul Rohmeyer, a professor at the Stevens Institute of Technology in
Hoboken, New Jersey, said he's surprised that streaming services
haven't yet implemented better security such as multi-factor
authentication.

With multi-factor authentication, users must enter a code sent as a
text message or email when logging in from a new device.

The code helps ensure that people using stolen passwords or guessing
them can´t use a service without also having access to the legitimate
user´s phone or email account.

Rohmeyer said services may be hesitant to implement tougher security
because they don't want to be seen as more inconvenient than
competitors.

Multi-factor authentication is an option for many non-streaming
services, including Google, Facebook and Apple, but the extra security
must be turned on.

Disney+ does require codes sent by email when changing account
passwords, but it doesn't use them for logging in from new devices.

Multi-factor authentication is harder to implement for services that
are shared in households, as multiple users would need access to the
same phone or email account.

While Disney+, Netflix and Hulu let family members create their own
profiles, with separate watch lists and preferences, they all share
the same username and password.

Apple TV+gets around this by having each family member sign in with a
separate Apple ID.