LOS ANGELES: Thousands of Disney+ accounts have reportedly been hacked and stolen – and offered for sale on underground cybercrime forums. Disney has now responded, saying only a "small percentage" of the service's 10 million-plus users have seen their usernames and passwords compromised and that Disney+ systems were not breached by hackers.
"We have found no evidence of a security breach," a Disney rep said in a statement to Variety. "We continuously audit our security systems and when we find an attempted suspicious login we proactively lock the associated user account and direct the user to select a new password."
The response comes after a report by tech-news site ZDNet that several thousand Disney+ accounts were being offered for free on hacking forums or available for US$3-US$11 (RM12-RM46) per account. It's not clear how the credentials were poached, but the speculation is hackers "gained access to accounts by using email and password combos leaked at other sites" or by using keylogging malware, per the ZDNet report.
Disney pointed out that that the problem of cybercriminals stealing usernames and passwords isn't unique to Disney+: "Billions of usernames and passwords leaked from previous breaches at other companies, pre-dating the launch of Disney+, are being sold on the Web."
Indeed, currently, there are nearly 80,000 compromised Netflix accounts for sale from one single market, on offer for an average one-time payment of US$6 (RM25) per account, according to KELA, an Israeli threat-intelligence provider. Also, to put the Disney+ hacks into context, they appear vastly smaller in scope than security breaches that have afflicted the likes of Yahoo (which said upwards of 3 billion accounts were stolen several years ago) or Facebook (which last year said hackers had accessed info on 29 million users).
In the case of Disney+, according to Disney, "We have seen a very small percentage of users in this situation and encourage any users who are having these kind of issues to reach out to our customer support so we can help them."
A big question is why hackers would purchase account info for Disney+ or any other service – given that they would likely be disabled in short order for suspicious activity. One possibility is that cybercriminals would intend to use the login details to try to attack other services, as users often reuse the same passwords for multiple sites. According to a Google study earlier this year, 52% of consumers said they use the same password across multiple accounts – and 13% use the same password for all accounts.
Meanwhile, even though Disney is telling users to contact Disney+ customer service if they believe their accounts have been hacked, numerous users have complained that wait times remain very long for Disney+ support. The company said Nov 19 that there's still a "high volume" of incoming help calls.
The customer-service backlog appears to be holdover from the Disney+'s widespread technical problems on launch day, including users being unable to log in to the service at all. On Nov 19, Kevin Mayer, Disney's direct-to-consumer chairman, said the glitches were related to "the way we architected the app", and not because of any third-party provider.
Disney+ launched Nov 12 in the US, Canada and the Netherlands, followed by Australia and New Zealand on Nov 19. At launch, Disney+ includes nearly 500 movies and 7,500 TV episodes from Disney, Pixar, Marvel, Star Wars, National Geographic, and other brands, including originals like The Mandalorian, which data shows has piqued interest among viewers.
Disney+, after a free seven-day trial, costs US$6.99 (RM29) per month (or US$69.99/RM291 per year). Disney also is selling a discounted bundle including Disney+, Hulu, and ESPN Plus for US$12.99 (RM54) monthly. In addition, Disney has a deal with Verizon to give Verizon Wireless unlimited-plan customers one year of Disney+ for free, with the same offer for new Fios broadband and 5G home broadband subscribers. – Variety/Reuters
Did you find this article insightful?