The ongoing saga of Disney’s new streaming service hit a serious speed bump on the 18th of November, as many of the subscribers who paid for accounts on the company’s site realized that they lost their credentials to hackers. In a massive breach of data, thousands of Disney+ accounts have been compromised, with the credentials going up for sale on the Dark Web to the highest bidder. Phone lines for the company’s customer support were clogged with complaints, and Disney has yet to issue an update on what it intends to do about the lost data and compromised accounts.
More Salt in the Wound
When Disney+ launched as a competitor to other streaming services such as Netflix and Hulu, the company got over ten million subscribers in its first week. However, all was not well with Disney, as many customers complained about not being able to navigate the system because of overloaded servers. The company noted that they never expected this kind of demand from the service and had engineers working tirelessly to solve the problem. While the service is still not available in many countries, these initial ten million subscribers came from the US, Canada, and the Netherlands.
The Dark Web Surfaces
Among the complaints heard from subscribers, the first day after the system went live was a contention that after paying for the service, subscribers were locked out of their accounts. It was later discovered that some accounts were posted on the Dark Web for sale. The asking price on these underhanded message boards was around $3 per account. Conversely, the subscription cost comes in at about $7 per month, more than twice that cost.
The marketplace for the sale of these accounts allowed potential buyers to see where the account originated, what type of subscription it was, and when the subscription expired. While many of the users vehemently deny using usernames and passwords on other sites, a lead researcher at CyberInt, Jason Hill, notes that the most likely reason those passwords were stolen was that people use the same passwords for multiple sites. As an additional faux pas, Disney+ doesn’t have two-factor authentication for securing user accounts, and the company hasn’t commented on whether they intend to implement it.