The reports came just a few days after Disney+ launched: Thousands of the streaming service accounts were already up for sale on various hacking forums, at bargain prices. As of Wednesday, new victims were still taking to Twitter and other venues to express their frustration that their accounts had been taken over. What’s happening almost certainly isn’t a hack in the way you’d normally think of it. Instead, it appears to be a classic—and regrettable—case of what’s known as credential stuffing.
As ZDNet first reported, compromised Disney+ accounts could be found on the dark web for as much as $11 a pop, or as little as, well, free. (Disney+ itself costs $7 per month, or less for a full-year plan.)
Disney rejects any suggestion that its systems have been hacked. “We have found no evidence of a security breach,” the company said in a statement. “We continuously audit our security systems and when we find an attempted suspicious login we proactively lock the associated user account and direct the user to select a new password.”
Taking megacorporations at their word, especially regarding cybersecurity issues, is rarely advisable, but in this case you don’t have to, because the simpler explanation is almost certainly the correct one.
“It certainly sounds like credential stuffing,” says Troy Hunt, founder the website Have I Been Pwned, a repository of the billions of accounts that have been leaked across various breaches over the years. “This incident has all the hallmarks of what we’ve been seeing over and over again.”
For a technique that causes so many headaches—Dunkin’ Donuts, Nest, and OkCupid are all recent victims—credential stuffing is relatively straightforward. You just take a set of user names and passwords that have leaked in previous breaches, throw them at a given service, and see which ones stick. Credential stuffing tools are readily available online that not only automate the process, but also make the login requests look legitimate—sending them as trickles from multiple IP addresses rather than one suspicious, centrally located tsunami. And because people reuse passwords so frequently, it’s not hard to get a significant number of matches. (Imagine you used the same key for your house, car, office, and gym locker. Once a robber makes a copy, they can break in anywhere.)
Hackers certainly have no shortage of material to pull from. Look no further than the recent discovery of what’s known as Collections #1-5, which made 2.2 billion user names and associated passwords freely available on hacker forums. The first batch alone had 773 million records. It was effectively a breach of breaches, a compendium of data from large-scale hacks like those of LinkedIn, Myspace, and Yahoo.
The point isn’t that hackers used that data specifically. It’s that many of your user names and passwords have been compromised by now, and if you reuse them, you’re setting yourself up for a headache. And even though some Disney+ users claim that they used a unique password, chances are they may have simply forgotten. “In my experience, many times when people have proclaimed the strength of their passwords, a bit of probing shows that’s rarely the case,” says Hunt. “So I’d take those claims with a grain of salt.”
This doesn’t exculpate Disney entirely. The company links the accounts for its multiple services together, so if you lose Disney+ you also lose access to Disney World Resorts, Disney Vacation Club, ESPN, and so on. That needlessly widens your potential exposure. And the company could take the extra step of providing two-factor authentication, although other streaming services like Netflix don’t currently offer that either. Similarly, Disney could throw up more impediments to the credential stuffing process in the first place.