Disney+ Did Not Get Hacked.  It Wasn't Inevitable. FB

Disney+ Hacked? Was It Inevitable? 1 Way to Secure Your Account Now

Was Disney+ Hacked?  Some experts think so.  I disagree.

Disney+ launched just one week ago and the reviews are in.  It’s a great service with a good package deal.  You get Disney+, Hulu, and ESPN+ for just $12.99/month.

Even better than the deal is the content.  Who wouldn’t love to have access to every Star Wars, Marvel Universe, and Pixar movie plus countless Disney classics?

The content is so amazing that even hackers are stealing and reselling accounts!  On the Dark Web, you can purchase a Disney+ account for $3!  That’s a great deal, right?

Was Disney+ Hacked?  Some experts think so.  I disagree.

Whoa, wait?  What Are You Talking About?

As expected, millions of people signed up for Disney+.  10 million-plus to be exact.  Of those 10 million subscribers there are a reported 4000 accounts compromised.  This is less than .04% of the total subscribers on the platform, but still a significant number.

Those 4000 subscribers no longer have access to their accounts because the thief changed the credentials.  Other than calling the bank or credit card vendor they do not have any recourse.

Disney+ Hacked An ExplanationWhat Do the Cyber Security Experts Say? Was Disney+ Hacked?

This is the part that gets me.  I wasn’t even going to write a blog about the Disney+ hacks because it seemed trivial at first.

There are so-called Cyber Security experts claiming, and reporting, that Disney+ was hacked.

That is not how these accounts were compromised.  These accounts were compromised because of one or both of the following reasons.

  • Weak Passwords
  • Reused Passwords

Thieves and others who use the dark web keep lists of passwords that have been cracked or stolen.  These lists are sold to whoever wants to buy them, sometimes along with usernames and/or email addresses.

If you use joesmith@gmail.com with a password of abc123, and that username/password combination has been hacked (it has) then it is on a list on the dark web.  Anyone can purchase that list and try those credentials on other sites like Disney+.

The password I used in the example (abc123) is also a weak password.  It can easily be cracked with a brute force attack.  And then sold on the dark web.

What Can Disney+ Subscribers Do?

It’s simple.  Use different passwords for every account you have and use strong passwords.

A strong password consists of UPPERCASE, lowercase, numbers, and special characters.  It should be as long as possible.  The longer the better.  It takes exponentially much more time to crack a 10-character password than it does an 8 character password.

You can also use a passphrase like a movie quote or song lyric.  You will still want to use UPPERCASE, lowercase, numbers, and special characters.

My passwords are all at least 15 characters.

The next question I am always asked is how do you remember all your passwords.  The answer is I don’t.  I use a password manager.  There are tons of them out there, but I recommend LastPass for those that want to use a web-based password manager, and KeePass for those that prefer one, not on the internet.

What does the disney+ hack mean to youWhat Can Disney+ Do Differently?

Now that I have scolded you about your password policy lets talk about what Disney+ can do differently.

First, I don’t feel they are handling the complaints very well based on what I have seen reported.  If a subscriber calls and tells you that their account cannot be accessed or has been stolen it’s not hard to investigate that and take action to close the account.

The bigger problem I see is the lack of 2FA options.  Disney+ launched with no 2FA (Two-Factor Authentication) option and as of this writing still does not have one.

With that, I don’t believe that would have stopped the 4000 accounts from being hacked.  If they’re already using weak passwords, then they probably find 2FA to be too cumbersome.

It was one of the first things I checked for.  Netflix and Hulu do have a 2FA option (turn it on if you have not already).

Disney should also consider using geofencing to a point.  If you’re outside of your normal area, then you should have to verify you are who you say you are.

May the Force Be with You

Disney+ was not hacked.  Your account details were.  It’s that simple.  Use better and different passwords.

Disney is not off the hook though.  They need to improve the security of the platform.  With these seemingly basic options not being available, I wonder what else is lacking as far as security is concerned.

At the end of the day, cybersecurity is everyone’s job.  It is your responsibility to learn how to better protect yourself online.  Hopefully, this blog post helps a little.

I’m still going to watch the Mandalorian this week though.

Disney+ Did Not Get Hacked.  It Wasn't Inevitable. PIN

Scott Gombar

Author Scott Gombar

More posts by Scott Gombar

Join the discussion 19 Comments

Leave a Reply