Reports came just days after Disney + was launched: Thousands of streaming service accounts were already on sale at various hacking forums, at discounted prices. As of Wednesday, the new victims still took to Twitter and other places to express their frustration over having their accounts taken over. What happens almost certainly is not a hack in the way you would normally think of it. Instead, it seems to be a classic ̵
As ZDNet first reported, compromised Disney + accounts could be found on the dark web for as much as $ 11 a pop, or as little as, yes, for free. (Disney + itself costs $ 7 per month, or less for a full-year plan.)
Disney rejects any suggestions that its system has been hacked. "We have not found any evidence of a security breach," the company said in a statement. "We are constantly reviewing our security systems and when we find a suspicious login attempt, we proactively lock the associated user account and instruct the user to choose a new password."
Taking megacorporations to their word, especially with regard to cyber security issues, is rarely advisable, but in this case you do not have to, because the simpler explanation is almost certainly the right one.
"It really sounds like reference stuffing," says Troy Hunt, co-founder of the Have I Been Pwned website, a billion-account repository that has leaked over various violations over the years. "This incident has all the hallmarks of what we have seen over and over."
For a technology that causes so many headaches – Dunkin & Donuts, Nest and OkCupid are all victims recently – reference padding is relatively simple. You just take a set of usernames and passwords that have leaked in past violations, throw them at a particular service and see which ones are pasting. Credential padding tools are readily available online that not only automate the process but also make the login request look legitimate – sending them as tricks from multiple IP addresses rather than a suspected, centrally located tsunami. And since people reuse passwords so often, it is not difficult to get a significant number of matches. (Imagine that you used the same key for your house, car, office and gym locker. Once a robber has made a copy, they can break in anywhere.)
Hackers really have no shortage of materials to pull away. Look no further than the latest discovery of what is called Collection # 1-5, which made 2.2 billion usernames and associated passwords freely available on hacker forums. Only the first batch had 773 million records. In fact, it was a violation of violations, a compendium of data from large-scale hackers such as LinkedIn, Myspace and Yahoo.
The point is not that hackers used that information specifically. It is true that many of your usernames and passwords have been compromised now, and if you reuse them you are setting yourself up for a headache. And although some Disney + users claim they used a unique password, it's likely that they simply forgot. "In my experience, many times when people have explained the strength of their passwords, some probing shows that this is rarely the case," Hunt says. "So I would take these claims with a grain of salt."
This doesn't stop Disney completely. The company links the accounts for its multiple services, so if you lose Disney + you also lose access to Disney World Resorts, Disney Vacation Club, ESPN and so on. It unnecessarily increases your potential exposure. And the company can take the extra step of providing two-factor authentication, although other streaming services like Netflix currently do not offer it either. Similarly, Disney could throw up more barriers to the referral process in the first place.