As Disney garnered over 10 million subscribers for its online streaming service Disney+ on its first day of operation, reports surfaced earlier this week that hackers have already hijacked thousands of accounts and put them up for sale on the dark web.
ZDNet discovered several listings for Disney+ accounts on different underground hacking forums, selling for somewhere between $3 and $5 (Rs 210 and Rs 350 approx)
The Disney+ launch was marred by technical issues and users reported being unable to stream their favourite movies and shows. Several users reported losing access to their accounts.
"Many users reported that hackers were accessing their accounts, logging them out of all devices, and then changing the account's email and password, effectively taking over the account and locking the previous owner out," said the report.
Disney was yet to comment.
In some cases, hackers gained access to accounts by using email and password combos leaked at other sites, while in other cases "the Disney+ credentials might have been obtained from users infected with key logging or info-stealing malware".
Researchers asked Disney+ to help users by rolling out support for multi-factor authentication and prevent more attacks.
Security experts are calling this is a credential stuffing attack, which, as explained by John Shier, senior security advisor, Sophos means the following
Credential stuffing is when cybercriminals use leaked credentials from one website – which could already be for sale on the dark web – and try those same credentials on other online services. As we’ve seen time and time again, cybercriminals are just as lazy as the rest of us. If they can get away with using a person’s previously compromised passwords across different services, that will be their default.John Shier, Senior Security Advisor, Sophos
On the very first day of release, Disney+ users collectively spent 1.3 million hours streaming and watching the content available to them on the platform.
As per reports, analysts projected that Disney+ would have anywhere between 10-18 million subscribers in its first year. Disney has signed up more than half of those projected numbers in 24 hours.
The service was launched in the US for $6.99 per month or $69 per year.
The company has announced the service will be launched in major European markets, including the UK, France, Germany, Italy, Spain and "a number of other countries in the region" on March 31 next year. India is most likely to be part of the list as well, but we’ll know more about that closer to March 2020.
(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)