Tis the season to be jolly, but not for Disney customers. Instead of preparing turkey stuffing, they suffered an attack of credential stuffing!

Disney’s brand new streaming service, Disney Plus, had been online for mere hours on Nov 12 before hackers managed to commandeer thousands of user accounts and selling them for a few dollars apiece. When the service first went live, it had experienced an outage. Subsequently, customers had trouble logging into their accounts and started complaining on social media.

Some investigations claim the affected users had been locked out of their accounts because they had used the same user email and passwords which had already (unknown to the users) been stolen. 

Experts have jumped on the opportunity to weigh in on the security incidents. Niels Schweisshelm, Technical Program Manager at HackerOne, said it is no surprise that cybercriminals jump on the same bandwagon as everyone else whenever there is a big new consumer launch.

“The scale of fresh accounts means it’s very much worth their while to invest in attempting to compromise them—cybercriminals can rely on consumers’ security apathy to give them an easy win.”

According to Niels, this incident is a reminder to all consumers about the importance of securing online accounts with unique and strong, complex passwords.

Over at Sophos, Senior Security Advisor John Shier believes that the hacks were likely the result of a ‘credential stuffing’ attack, a phishing campaign against Disney+ users or the result of credential stealing malware on users’ devices.  

Credential stuffing is when cybercriminals use leaked credentials from one website—which could already be for sale on the dark web—and try those same credentials on other online services. This breach is a prime example of the importance of having unique passwords across all of your online services. “As we’ve seen time and time again, cybercriminals are just as lazy as the rest of us. If they can get away with using a person’s previously compromised passwords across different services, that will be their default.” 

So, the universal lesson here is, whether it is Netflix, Disney+ or other providers, users should observe the best practices for online services platforms: 

  • Don’t reuse passwords, as old breaches can come back to haunt you when cybercriminals use passwords from past breaches 
  • Provide as little personally identifiable information online as possible 
  • All services, such as Disney+, should offer multi-factor authentication to ensure that passwords are protected and not the only means of defense.

Unfortunately, the Disney+ platform does not appear to offer any kind of multi-factor authentication which would thwart these kinds of attacks against online services. 

Whatever the root cause, users of online services should incorporate these tips into their everyday cybersecurity practices, instead of assuming that service providers will always be liable. 

Says Niels: “For the foreseeable future, people will have to continue making passwords work for them, whether that is using personal algorithms to keep track of them or using password managers. Organizations can do their part by implementing and pushing or even mandating two-factor authentication so that even if passwords are breached, the damage is contained.”