Was Disney+ hacked within 24 hours of launch? Not quite...

culgin in #security • 3 years ago

For those who are not familiar, Disney+ is Disney's answer to Netflix. It is a video content streaming platform like Netflix which was launched just yesterday. However, just within a day of Disney+ launch in the US, user accounts were hijacked and being sold on the dark web.

Source

According to this article, it was found that user accounts were listed for sale on the dark web as shown in the screenshot below.

Source

Why are Disney+ accounts targeted?

I think they were targeted because Disney allowed prepayment of up to 3 years. Unlike Netflix subscriptions, which is paid on a monthly basis, Disney+ has subscription plans that allow 1 year of prepayment. There is even a 3 year subscription plan called the Founders Circle which users can sign up with.

Source

While these longer term plans provided viewers with more discounts, they gave hackers the incentives to take over such prepaid accounts and put them up for sale. I believe that these accounts were already hijacked long before the official launch but were only put up for sale after it was launched.

Was Disney+ hacked? And what should victims do?

The short answer is, no. Disney+'s security was not compromised.

Based on initial investigation, Disney+ was not found to be hacked. Through interviews with some victims, it was found that some of them got their account hijacked because they have been reusing passwords that were compromised in previous breaches. The others might have lost their accounts through malware that was installed on their device.

For now, the victims can only log a case with Disney and wait for their accounts to be reset and returned to them. I believe it will be a lengthy verification process which potentially could take weeks.

However, the key thing is for the victims to avoid getting into such situation in the future and the most important thing is to stop reusing their passwords. Password managers such as OnePass, KeePass and Dashlane are getting increasingly popular and everyone consider using them to ensure you have unique passwords for every sites. Firefox even have a built-in password manager available for free, so there is seriously no reason not to use one.

The other thing that victims might want to try is to use services such as "Firefox Monitor" to check if their credentials were compromised in previous breaches.

Finally, if you do not have a basic antivirus installed on your PC, then you should consider getting one. There are many antivirus solutions that offer free plans, such as Avast, Avira, AVG and Bitdefender. Even if you do not like these vendors, you should at least turn on Windows Defender, which comes free shipped with your copy of Windows OS.

What Disney could have done to prevent this?

Multi-factor authentication. Multi-factor authentication. Multi-factor authentication.

After SSL/TLS encryption, multi-factor authentication is in my opinion another basic security feature that should be available for your users. Especially if you are accepting payments for your services. I would expect Disney, such a large company, to be able to provide such a basic feature.

Conclusion

While Disney was not hacked, they could have done better to protect their users, especially when they are accepting up to 3 years of advance payments, the accounts are of considerable value. On the other hand, users could have done better so secure their credentials. I think both sides have responsibilities to play here. Fortunately, the damage was not great and I believe the victims' accounts will eventually be restored but this serves as a lesson that security should not be taken for granted.

10% of post rewards goes to @ph-fund and 5% goes to @steemstem to support these amazing projects.

The "Raise to 50" Initiative

Under 50 SP and finding it hard to do much on this platform? I might just be able to raise your SP to 50. Check this post to find out more!

This article is created on the Steem blockchain. Check this series of posts to learn more about writing on an immutable and censorship-resistant content platform:

#news #disney #stem #neoxian #cybersecurity #hack #breach

3 years ago in #security by culgin

0.00 STEM

Sort:

Trending

[-]

crypto.piotr 3 years ago

Dear @culgin

Wow. I never knew about Disney+ and I surely didn't hear about their users being hacked. Interesting news buddy,

Your suggested reasons behind those hacks does sound valid. It surely must be very encouraging to steal account which has been paid for 3 years upfront. But wouldn't owners of those accounts receive access to them very easily (I presume each account is linked "for good" with some email and password can be reseted anytime).

Finally, if you do not have a basic antivirus installed on your PC, then you should consider getting one.

Which one would you suggest? Let's say that I'm not interested in anything free. Just middle-prices product. Something that wouldn't slow down my laptop to much? Any recommendations? (is Kaspersky good in your opinion?)

10% of post rewards goes to @ph-fund
Thank you :)

upvote on the way :) Enjoy upcoming weekend,
Yours, Piotr

0.00 STEM

2 votes

[-]

culgin 3 years ago

Yea, I think the accounts should be linked to an email. But it is possible that once the account is hijacked, the user can request for an email change, effectively taking over the subscription.

For paid AV, you can consider checking out Bitdefender. Kaspersky is solid as well 🙂

_{Posted with}

0.00 STEM

[-]

pedrobrito2004 3 years ago

It is true, for many years now, that the weakest link in the security of a network is the users.
For various reasons, be it the use of insecure keys, vulnerable connections or the purest social engineering used to get the user to reveal to the hacker all the information he needs.
I do not believe that this issue changes in a short time.
Well, it is unfortunate that just starting the service some of their customers face this problem, but hopefully it serves as a learning and see if other users also learn for example from others.

0.00 STEM

2 votes

[-]

culgin 3 years ago

Yea, I think companies need to provide the basic level of security to all users. That is the least they can do

_{Posted with}

0.00 STEM

[-]

pedrobrito2004 3 years ago

I think they leave it as part of the legal download, giving a minimum recommendation to users, after all if they do not follow the safety recommendations the company assumes no burden ... but, I think that can provide some bad public image to the enterprise.

0.00 STEM

[-]

machnbirdsparo 3 years ago

What Disney could have done to prevent this?
Multi-factor authentication.

Surprised they did not have this. But then, they probably just want the numbers right now. Their image can take a hit.

0.00 STEM

2 votes

[-]

culgin 3 years ago

Yea, I am surprised too but Netflix do not have the either. So what's new? 🙂

_{Posted with}

0.00 STEM

2 votes

[-]

kippl3 3 years ago

It's always a treat to read your blog The good news is, i think people are pretty familiar with multi factor authentication. But, I agree that app developers need to implement it more often.

Stop reusing passwords, people! :D

Posted using Partiko Android

0.00 STEM

2 votes

[-]

culgin 3 years ago

Haha.. Thanks for the support! Indeed the key takeaway here is not to reuse passwords

0.00 STEM

[-]

randowhale 3 years ago

This post received a 36% vote from @randowhale thanks to @culgin! All funds sent to @randowhale will be used to improve the SBD peg and will be burned at a later date.

0.00 STEM

[-]

sinlg 3 years ago

!trdo ;)

0.00 STEM

[-]

trendotoken 3 years ago

Congratulations @sinlg, you successfuly trended the post shared by @culgin!
@culgin will receive 0.00030375 TRDO & @sinlg will get 0.00020250 TRDO curation in 3 Days from Post Created Date!

"Call TRDO, Your Comment Worth Something!"

^{To view or trade TRDO go to steem-engine.com

Join TRDO Discord Channel or Join TRDO Web Site}

0.00 STEM

[-]

trendotoken 3 years ago

Congratulations @culgin, your post successfully recieved 0.00030375 TRDO from below listed TRENDO callers:

^{@sinlg earned : 0.0002025 TRDO curation}

^{To view or trade TRDO go to steem-engine.com

Join TRDO Discord Channel or Join TRDO Web Site}

0.00 STEM