News Insights: Thousands of Disney+ Accounts Have Been Hacked, And They’re Already For Sale on the Dark Web

News Insights:

Jonathan Deveaux, head of enterprise data protection at comforte AG, commented:

“The details are unclear regarding the reports of hacked Disney+ accounts.  At this time, there are no indications that point to a hack or data breach within the Disney cybersecurity program. What could be happening is a mass effort by bad actors to use previously stolen user IDs and passwords.  A quick search on https://haveibeenpwned.com/ reveals websites previously subjected to security events or databases exposed during hacking incidents.  There are hundreds of incidents which contain millions of leaked user IDs and passwords.

What is missing from the Disney+ security service is multi-factor-authentication (MFA). MFA is a method in which access is granted only after two or more pieces of evidence a provided when signing onto a service.  The password is one of the pieces; depending on how MFA is deployed within a service, a second piece could a code sent to the user’s mobile phone, which is then entered at the time of login.  MFA does not guarantee that only the authorized user is indeed accessing the service, but it does help slow down or reduce the likelihood of bad-actors gaining access with only user ID and password credentials.

If this is the case with the reports of hacked Disney+ accounts, then Disney did not do anything wrong per se, but they could elect to look at increasing their security posture by upgrading their authentication program.

Of course, there’s still the situation of user IDs – in use with other websites – which are the same user IDs at Disney+.  This is a similar concern any company faces when offering a service online.  In general, companies still need to protect user IDs and passwords from getting hacked through their website or from database security loopholes. One very effective way is to use data tokenization, which replaces user IDs and passwords with scrambled text, which has no usable value in hacking incidents.  Strong encryption is also effective in reducing the likelihood of data exposure during a breach.”

Lamar Bailey, senior director of security research at Tripwire, provided the following comments:

“There has been no information about a security or configuration issue that would allow hackers to gather passwords. This is most likely the age old issue of using weak passwords to login. This is more of a problem with streaming apps on TVs and devices. If you have ever had to enter a complex password on a streaming app, you can see why someone would want to use something easy.

“We often hear about two factor authentication being a solution, but with streaming apps this can be a pain. For example, if you have kids that want to watch a show and you need to approve the sign-in on a second device. Disney+ customers get email alerts when the email or password has changed, and if you select “forgot password,” you are emailed a code, so a change in password or email should not be a surprise.”