Skip Navigation
BlackBerry Blog

Was Your New Disney Plus Account Stolen?

NEWS BITES / 03.05.20 / Kim Crawley

When I first heard about the launch of Disney Plus, I had already decided to subscribe to it. Sure, I have a Netflix account, and I have an account for the (very awesome) Funimation’s anime streaming service. But Disney, with their recent acquisition of 21st Century Fox, were starting to pull their massive library of television and movie content from any streaming service they don’t own themselves. As of March 2020, the service already has 28.6 million subscribers.

As for many others of you out there, the Disney Afternoon was a big part of my childhood. I’ve loved DuckTales, Darkwing Duck, and Chip & Dale Rescue Rangers for decades. As for my boyfriend, a man I share all of my streaming accounts with, he’s been a diehard Star Wars fan since he was very little. He also adores The Simpsons. Those are all Disney properties now, and Disney Plus grants us all of that nostalgic content on demand.

When the service finally launched on November 12th, I signed up the moment I woke up. The new service worked great early that morning, but a couple of hours later, it slowed to a crawl. DownDetector.com received about 7,500 reports on the big Disney Plus launch day. About 65% of the reports were about video streaming issues, and the other 35% were login issues.

I could log in that day, but after about 9am here, trying to stream was a pointless endeavor. On the next day, November 13th, everything was working properly again. Disney apologized and expanded the capacity of the Disney Plus backend. They said in a statement, “The consumer demand for Disney+ has exceeded our high expectations. We are so pleased you’re excited to watch all your favorites and are working quickly to resolve any current issues. We appreciate your patience.”

Without inside knowledge, I can safely assume that Disney went to their cloud provider, and they bought a lot more server capacity and bandwidth. Whew! That’s the end of the Disney Plus technical woes, right?

Trouble in The Mouse House?

Wrong. Within the first few days of the Disney Plus launch, many users were reporting that their accounts had been hacked. Disney Plus requires an email address or username to log in, plus a password. As of this writing, there’s still no two-factor authentication for Disney Plus. That’s a real bummer. Data breaches occur at a constant pace, and we’ve pretty much all been subject to at least a few of them.

When my credentials for my other online accounts have been breached, cyber attackers would still have great difficulty exploiting my accounts because I usually have two-factor authentication (2FA) set up via text message, or even better, Google Authenticator. (Google Authenticator isn’t subject to SMS man-in-the-middle vulnerabilities.) That’d buy me time to change the passwords on my breached accounts. As long as I’ve still got my phone, I’m good.

But when usernames and passwords for Disney Plus accounts are breached, that’s all a cyber attacker needs to make the victim’s account their own. Lots of people were reporting having their Disney Plus accounts breached on Twitter. Here are a few highlights:

“Not even been half of a week and my dad’s Disney+ account has ALREADY been hacked.

Great security there @disneyplus @Disney. Unbelievable. #DisneyPlus” - CommandrBlitzer

“#distwitter has anyone’s @disneyplus account been hacked? My friend’s was; hackers changed email and password. Now she’s completely blocked from her 3-year prepaid Disney+ account. She’s been on hold for >2 hours” - Travel4vr

“DISNEY+ HAS BEEN OPEN FOR LIKE 10 HOURS AND MY ACCOUNT HAS ALREADY BEEN HACKED” - brandoncult

I decided to do a bit of Open Source Intelligence or OSINT for short. I went to the Dark Web’s popular Empire Market (ED: Don’t try this at home, folks!), which is like eBay but for illegal stuff. A Disney Plus search on Empire Market turned up this listing:

“Disney+ DISNEY PLUS – ★PREMIUM ACCOUNT★ [LIFETIME WARRANTY]

Hacked and Shared account of DISNEYPLUS.COM for your favorite movies and TV shows from Disney, Pixar, Marvel, Star Wars, and more. Get the full Disney+ experience, plus your favorite TV episodes. If u have any question please write me before purchase.”

This particular seller was hawking the accounts for the value of $6.64 Canadian dollars each in Bitcoin, Liecoin, or Monero. Disney Plus offers accounts to Canadian customers for $8.99 Canadian dollars per month. If the account-theft victim automatically renews their Disney Plus subscription on their credit card and they don’t cancel, that could be a great recurring value to a wanna-be cybercriminal who doesn’t want to buy the Disney Plus service legitimately.

But of course, it goes without saying that most of the value of hacked Disney Plus accounts to cyber attackers is access to the credit card information associated with them. There is a way of mitigating that when signing up for these new services, however. For example, I used a Visa Gift Card to pay for my first months of the Disney Plus service, so if my account was breached, I’d be at a lot less financial risk than someone who paid with a conventional credit card linked to their bank accounts.

Was the Disney Hack a Security Breach?

For what it’s worth, Disney Plus made a statement to Business Insider: “Disney takes the privacy and security of our users' data very seriously and there is no indication of a security breach on Disney+.”

If there are no indications of compromise on the Disney Plus backend, it could mean that cyber attackers may have been stealing account information from users’ endpoints, and perhaps gathering additional user information via credential stuffing, otherwise known as ‘users not protecting their passwords properly’. Credential stuffing is when a cyber attacker tries a victim’s known credentials for one service on another service or platform. Given the frequency of data breaches, the takeaway here is to try your very best to never reuse any passwords.

If you’re a Disney Plus subscriber and you’re concerned that your account may have been hacked, change your password right away, as Step 1 to securing your account. When you choose a new password, make sure you don’t use a password that you use for any other online accounts, and certainly don’t use the same one you use for any bank accounts.

Also consider paying for Disney Plus with Visa or Mastercard gift cards, so there’s no link to your very sensitive financial information. And if Disney Plus offers 2FA at any point in the future, set it up right away. By taking these steps, you can help secure your Disney Plus account against future attacks. 

Kim Crawley

About Kim Crawley

Kimberly Crawley spent years working in consumer tech support. Malware-related tickets intrigued her, and her knowledge grew from fixing malware problems on thousands of client PCs. By 2011, she was writing study material for the InfoSec Institute’s CISSP and CEH certification exam preparation programs. She’s since contributed articles on information security topics to CIO, CSO, Computerworld, SC Magazine, and 2600 Magazine. Her first solo-developed PC game, Hackers Versus Banksters, and was featured at the Toronto Comic Arts Festival in May 2016. She now writes for Tripwire, Alienvault, Cylance, and CCSI’s corporate blogs.

The opinions expressed in guest author articles are solely those of the contributor, and do not necessarily reflect those of Cylance or BlackBerry Ltd.