Thousands of Disney Plus accounts have reportedly been hacked and stolen — and offered for sale on underground cybercrime forums. Disney has now responded, saying only a “small percentage” of the service’s 10 million-plus users have seen their usernames and passwords compromised and that Disney Plus systems were not breached by hackers.
“We have found no evidence of a security breach,” a Disney rep said in a statement to Variety. “We continuously audit our security systems and when we find an attempted suspicious login we proactively lock the associated user account and direct the user to select a new password.”
The response comes after a report by tech-news site ZDNet that several thousand Disney Plus accounts were being offered for free on hacking forums or available for $3-$11 per account. It’s not clear how the credentials were poached, but the speculation is hackers “gained access to accounts by using email and password combos leaked at other sites” or by using key-logging malware, per the ZDNet report.
Disney pointed out that that the problem of cybercriminals stealing usernames and passwords isn’t unique to Disney Plus: “Billions of usernames and passwords leaked from previous breaches at other companies, pre-dating the launch of Disney+, are being sold on the web.”
Indeed, currently, there are nearly 80,000 compromised Netflix accounts for sale from one single market, on offer for an average one-time payment of $6 per account, according to KELA, an Israeli threat-intelligence provider. Also, to put the Disney Plus hacks into context, they appear vastly smaller in scope than security breaches that have afflicted the likes of Yahoo (which said upwards of 3 billion accounts were stolen several years ago) or Facebook (which last year said hackers had accessed info on 29 million users).
In the case of Disney Plus, according to Disney, “We have seen a very small percentage of users in this situation and encourage any users who are having these kind of issues to reach out to our customer support so we can help them.”
A big question is why hackers would purchase account info for Disney Plus or any other service — given that they would likely be disabled in short order for suspicious activity. One possibility is that cybercriminals would intend to use the login details to try to attack other services, as users often reuse the same passwords for multiple sites. According to a Google study earlier this year, 52% of consumers said they use the same password across multiple accounts — and 13% use the same password for all accounts.
Meanwhile, even though Disney is telling users to contact Disney Plus customer service if they believe their accounts have been hacked, numerous users have complained that wait times remain very long for Disney Plus support. The company said Tuesday that there’s still a “high volume” of incoming help calls.
The customer-service backlog appears to be holdover from the Disney Plus’ widespread technical problems on launch day, including users being unable to log in to the service at all. On Tuesday, Kevin Mayer, Disney’s direct-to-consumer chairman, said the glitches were related to “the way we architected the app,” and not because of any third-party provider.
Disney Plus launched Nov. 12 in the U.S., Canada and the Netherlands, followed by Australia, New Zealand and Puerto Rico on Nov. 19. At launch, Disney Plus includes nearly 500 movies and 7,500 TV episodes from Disney, Pixar, Marvel, Star Wars, National Geographic, and other brands, including originals like “The Mandalorian,” which data shows has piqued interest among viewers.
Disney Plus, after a free seven-day trial, costs $6.99 per month (or $69.99 per year). Disney also is selling a discounted bundle including Disney Plus, Hulu, and ESPN Plus for $12.99 monthly. In addition, Disney has a deal with Verizon to give Verizon Wireless unlimited-plan customers one year of Disney Plus for free, with the same offer for new Fios broadband and 5G home broadband subscribers.