Disney's new streaming service launched on November 12 amid huge fanfare. There was so much excitement over the launch that the service basically crashed due to so many people trying to access it at the same time. Now some are questioning the site's security measures after thousands of Disney + accounts were hacked and resold.
According to ZDNet it only took hours after the launch for hackers to get to work, hacking accounts and posting them for free and for sale on online forums. Although not as widespread as the technical issues that Disney + experienced upon launch, thousands of subscribers noted that their account had been logged into and their passwords changed and took to social media to express their outrage.
DISNEY+ HAS BEEN OPEN FOR LIKE 10 HOURS AND MY ACCOUNT HAS ALREADY BEEN HACKED pic.twitter.com/YBv6CfwTlh— brandon ʕ·ᴥ·ʔ (@brandoncult) November 12, 2019
Day 7 of @disneyplus ... got hacked. Email and password changed. Been waiting in a chat room 36 mins (estimated time less than 30) and also sent a DM. I’m less than thrilled, Disney...— Becky 🦃🍁🥧 (@Rebecky84) November 19, 2019
@DisneyPlusHelp @disneyplus— Jim Fernandez (@j1mfernandez) November 13, 2019
Our account keeps getting hacked. We've changed passwords and email accounts but that did not help. We have also received an email from one of the hackers threatening us that will attack more than our Disney account. #sos #help pic.twitter.com/Na9R5WFYHt
Disney responded to Global News stating there was no breach of security on its streaming platform, although it didn't confirm whether accounts were being hacked. “Disney takes the privacy and security of our users’ data very seriously and there is no indication of a security breach on Disney+,” a Disney spokesperson stated.
Emrielle Shenher was one of those people who had their account hacked and explained to Global News that she received an email informing her that her Disney + password had been changed. She said that when she logged into the app she found multiple new profiles listed on her account that she was unable to remove even though she repeatedly changed her password and email contact.
Thousands of Disney+ accounts are being offered for free or sold for as little as $4 across several hacking forums.https://t.co/vFl0D5NL68— Globalnews.ca (@globalnews) November 19, 2019
Shenher pointed out that Disney + doesn't seem to have a way to log other users out of the service. “Unlike Netflix, I don’t think Disney+ logs off the devices once the password has been changed,” Shenher told Global News. “So once they were initially logged in, now they’re in forever and it doesn’t give an option to log out of other devices.”
Jason Hill is a lead researcher with CyberInt who told the BBC that one of the main reasons many people saw their passwords stolen was because they often reuse passwords across multiple sites. "Whilst many may consider having a unique password for each online service to be difficult to manage, password managers simplify this process and allow you to generate and securely store unique difficult-to-guess passwords," he said.
Let’s be clear here, there is big difference Disney+ being hacked and the fact that you reuse passwords and your account got logged into because hackers had your email and reused password combo! Quit reusing passwords!!— Chris Thomas (@truechristhomas) November 19, 2019
Some users are concerned since their Disney + login is connected to other Disney sites like their online store and theme parks.
@disneyplus HUGE security issue- all Disney accounts are linked together so they have the same password. This means a hack on one is a hack on all. Spending the morning on the phone with Disney Vacation Club. Got access back to DVC and https://t.co/v9x89JdYtW but not Disney+ :(— Alicia (@juliothegato) November 17, 2019
Experts suggest having unique passwords for each service you subscribe to limit the risks of a compromised email and password combination being re-used on other services.