Disney has responded to an article on a tech website that revealed that Disney+ account details were for sale on hacking forums, with thousands of usernames and passwords reportedly appearing for free or being sold for prices ranging from $3 to $11.
In a ZDNet article, the author wrote: "The speed at which hackers have mobilized to monetize Disney+ accounts is astounding. Accounts were put up for sale on hacking forums within hours after the service's launch." The tech website also featured a number of screenshots from so-called "dark web" sites that were offering usernames and passwords for users of the streaming service.
In a statement Disney shared with Variety, the company said that the hacks had affected a "small percentage" of the 10 million users. Disney also added: "We have found no evidence of a security breach...We continuously audit our security systems and when we find an attempted suspicious login we proactively lock the associated user account and direct the user to select a new password."
ZDNet speculated that the 'hacked' accounts may not have been hacked at all, but rather the accounts were accessed through using email and password combinations that had previously leaked from other services, in a process known as "credential stuffing."
Australian security researcher Troy Hunt, who is behind security website Have I Been Pwned, told The New York Times: "The Disney situation appears to be yet another credential stuffing attack where hackers exploit a combination of customers reusing passwords and the service provider not providing sufficient defenses to stop it."
Hackers could, for example, have gained access to the details of those whose Facebook and Disney+ accounts had the same passwords in April 2019, when Facebook exposed millions of user passwords in an unencrypted format—though the company said at the time that "our investigation has determined that these stored passwords were not internally abused or improperly accessed." Another major leak this year was the so-called "Collection #1" leak of 773 million unique email addresses and 21 million unique passwords that appeared on the dark web in January 2019.
Surveys reported by various publications have reported that anything from 13% to 83% of web users use the same password for numerous services, with a Google study putting the number at 52%.
As such, the best way to protect yourself against the Disney+ hack may be to use a totally new password. Cybersecurity experts Norton offer some advice for this on their website, which advises to "use a combination of uppercase and lowercase letters, symbols and numbers," make sure your password is over eight characters long and does not contain words.