For those who are not familiar, Disney+ is Disney's answer to Netflix. It is a video content streaming platform like Netflix which was launched just yesterday. However, just within a day of Disney+ launch in the US, user accounts were hijacked and being sold on the dark web.
Source
According to this article, it was found that user accounts were listed for sale on the dark web as shown in the screenshot below.
Source
Why are Disney+ accounts targeted?
I think they were targeted because Disney allowed prepayment of up to 3 years. Unlike Netflix subscriptions, which is paid on a monthly basis, Disney+ has subscription plans that allow 1 year of prepayment. There is even a 3 year subscription plan called the Founders Circle which users can sign up with.
Source
While these longer term plans provided viewers with more discounts, they gave hackers the incentives to take over such prepaid accounts and put them up for sale. I believe that these accounts were already hijacked long before the official launch but were only put up for sale after it was launched.
Was Disney+ hacked? And what should victims do?
The short answer is, no. Disney+'s security was not compromised.
Based on initial investigation, Disney+ was not found to be hacked. Through interviews with some victims, it was found that some of them got their account hijacked because they have been reusing passwords that were compromised in previous breaches. The others might have lost their accounts through malware that was installed on their device.
For now, the victims can only log a case with Disney and wait for their accounts to be reset and returned to them. I believe it will be a lengthy verification process which potentially could take weeks.
However, the key thing is for the victims to avoid getting into such situation in the future and the most important thing is to stop reusing their passwords. Password managers such as OnePass, KeePass and Dashlane are getting increasingly popular and everyone consider using them to ensure you have unique passwords for every sites. Firefox even have a built-in password manager available for free, so there is seriously no reason not to use one.
The other thing that victims might want to try is to use services such as "Firefox Monitor" to check if their credentials were compromised in previous breaches.
Finally, if you do not have a basic antivirus installed on your PC, then you should consider getting one. There are many antivirus solutions that offer free plans, such as Avast, Avira, AVG and Bitdefender. Even if you do not like these vendors, you should at least turn on Windows Defender, which comes free shipped with your copy of Windows OS.
What Disney could have done to prevent this?
Multi-factor authentication. Multi-factor authentication. Multi-factor authentication.
After SSL/TLS encryption, multi-factor authentication is in my opinion another basic security feature that should be available for your users. Especially if you are accepting payments for your services. I would expect Disney, such a large company, to be able to provide such a basic feature.
Conclusion
While Disney was not hacked, they could have done better to protect their users, especially when they are accepting up to 3 years of advance payments, the accounts are of considerable value. On the other hand, users could have done better so secure their credentials. I think both sides have responsibilities to play here. Fortunately, the damage was not great and I believe the victims' accounts will eventually be restored but this serves as a lesson that security should not be taken for granted.
10% of post rewards goes to @ph-fund and 5% goes to @steemstem to support these amazing projects.
The "Raise to 50" Initiative
Under 50 SP and finding it hard to do much on this platform? I might just be able to raise your SP to 50. Check this post to find out more!
This article is created on the Steem blockchain. Check this series of posts to learn more about writing on an immutable and censorship-resistant content platform:
- What is Steem? - My Interpretation
- Steem Thoughts - Traditional Apps vs Steem Apps
- Steem Thoughts - A Fat or Thin Protocol?
- Steem Thoughts - There is Inequitable Value Between Users and Apps
- Make my votes count! Use Dustsweeper!
- What caused STEEM to get dumped? Why I think the worst might be over
- Steem 2020 is about having a "SMART U"
