Disney+ had a rocky launch last week, with technical issues and customer service complaints galore. Now, it looks as though Disney+ has a hacking problem as well.
An investigation by ZDNet found that hacked usernames and passwords for Disney+ accounts are being offered up for sale on dark web marketplaces, and users on social media reported getting locked out of their accounts immediately after the service launched November 12. Two individuals who spoke with ZDNet reported that they reused passwords associated with other accounts. If those other accounts have been compromised in the past, the Disney+ hackers could have gained access by trying those resued passwords. But other users claimed their passwords were unique to the account, which could mean a number of other factors were at play.
David O’Brien, a senior researcher and assistant research director for privacy and security at Harvard University’s Berkman Klein Centre for Internet & Society, told Gizmodo by phone that the easiest answer is the reused passwords problem.
“People very commonly reuse passwords between sites because it’s convenient,” O’Brien said. “The reason there is, of course, it’s hard to memorise long passwords to begin with, and it’s hard to memorise a long list of long passwords. So people often take the shortcut of just using the same password between sites and they might not know when it’s been compromised or not.”
As ZDNet noted, it’s possible that the credentials were swiped with malware. It’s also possible the stolen passwords were unique but similar to previously compromised passwords, or simply common and easy to guess, such as “123456,” “abc123,” or “princess.” For its part, Disney told Gizmodo that there’s been no sign of a security breach that would put user credentials at risk.
“Disney takes the privacy and security of our users’ data very seriously and there is no indication of a security breach on Disney+,” the company said in a statement. The company advised users who believe their accounts have been compromised to contact its customer service, though wait times are still excessive more than a week out from its launch. When Gizmodo attempted to call today, an automated message said the expected wait time was “greater than 60 minutes.”
Because Disney+ lacks multi-factor authentication, the best thing users can do to protect their logins against bad actors is using randomly generated passwords for all of their accounts, O’Brien said. And because memorising 200 randomly generated passwords is nearly impossible for most people, a password manager is one of the best ways to ensure that those unique logins remain secure.
Another thing Disney+ users—or anyone, really—should do is check Have I Been Pwned, a resource for cross-checking whether your credentials have been jeopardized in a data breach. If they haven’t, well, consider yourself lucky. But if they have, update your logins as soon as possible—with new, unique, and randomly generated passwords. And immediately change any other accounts for which you used the same password as the breached accounts. Nobody wants to get booted from their account with all of these The Mandalorian spoilers spreading like wildfire.