Disney+ hacked user info??

Kaleidodad

Librarian Mickey
Joined
Apr 3, 2018
  • KayaWildfire

    Mouseketeer
    Joined
    Oct 4, 2016
    I don't think credit card info was hacked, it was the login information. Annoying and I really hope that doesn't happen to me, but not something to cancel a card over.
     

    sndral

    DIS Veteran
    Joined
    Feb 3, 2008
    Well, it didn’t take Disney+ long to suffer IT issues did it. We all somewhat tolerate their abysmal IT, but to be competitive in the streaming world they need to get their act together & fast IMO, and pointing the finger elsewhere isn’t likely to go over well. Wonder if all of those new subscribers trying to contact them about being locked out of their accounts are being subjected to long waits on hold with never ending music sounding like it’s being broadcast underwater.
     

    Skywise

    DIS Veteran
    Joined
    Jul 24, 2013
    From my understanding the hackers used existing username (like your email)/password combinations from other hacked sites. These username/password combos are collated and sold on the black market for easy hacking like this - so if you got hacked on one site with a password you commonly use then they'll try it on other sites you might frequent - like Disney+. They got lucky with some accounts and quickly changed the password and then "resold the account" on the black market

    Best thing to prevent this is to use a password manager like LastPass or 1Password which integrates with your web browser (and now on iPhones and Androids) and can automatically generate custom and unique passwords for every site you have an account on and then remembers and autofills it for you at login screens. I used to have password "tiers" one password for general use, one for stuff I cared about (shopping accounts/pizza) and another for high security stuff (bank accounts) but it's not enough and now with my job I have to remember a dozen passwords (literally) that have to be updated every 3 months along with my personal accounts and I can't keep up anyway! :)
     

    mikebb

    Mouseketeer
    Joined
    Mar 27, 2015
    I don't think credit card info was hacked, it was the login information. Annoying and I really hope that doesn't happen to me, but not something to cancel a card over.
    This is true. And while one could say the root of the problem documented is not directly a failure of Disney, it does expose some serious flaws in the design and security of Disney+, all of which ARE Disney's problem.

    First, understand that the likely exposure are users who use a common password across multiple sites (any websites for that matter), and whose account information on other sites/platforms have already been compromised and sold. Then the folks that have that data know your stolen Yahoo password "Hello123" and guess that you probably used the same password on your new Disney+ account and voila, you're "hacked". They then go on to sell that info on to other users as discounted Disney+ "memberships".

    The problem becomes Disney's IMHO because:
    - Disney offers no option for 2 factor authentication, which would almost entirely mitigate such an exposure.
    - Disney also offers no option to see what devices have logged into your Disney+ account (ala Hulu, Netflix and others)
    - Since you can't see what devices have logged into your account, you also can't deauthorize devices that you suspect aren't legit or old devices you no longer use.
    - If you suspect your account has been compromised, you can change your password. However, as users have discovered, devices that have connected to Disney+ using your old (now stolen) credentials will remain authorized indefinitely, making your password change ineffective once your account is compromised.
    - Disney has offered no solutions to the above that I know of. And in fact, has referenced on their FAQ that there is no way to deauthorize devices from their service. The only recourse is to contact customer service.
    - Lastly, someone could login to your account and potentially reset your password and lock you out. Of course, because devices remain authenticated, you wouldn't truly be locked out, you'd just be unaware of what your new password is.

    Bottom line is that the exposure to data such as your credit card # appears rather limited. And really, users should be using unique usernames/passwords for each and every website they sign up for. But that doesn't happen, and Disney has done a horrible job here of implementing a platform that accounts for that. They need to up their game, and I don't understand why, with having the knowledge of how Hulu implements security, they did not do so at launch.
     
  • OSUZorba

    DIS Veteran
    Joined
    Sep 5, 2014
    I am linking this thread here because it appears that people signing up for Disney+ & using a new password to do so found the system had automatically changed their old passwords for their other Disney accounts - which I suppose forces you to use the same password for all Disney accounts whether you want to or not, not a good idea IMO.
    Apparently Disney hasn't read a cyber security book since 1992.
     

    tcufrog

    DIS Veteran
    Joined
    Jul 18, 2012
    I keep track of my user names and passwords in a small, nondescript notebook that's similar to an old fashioned address book. I have it hidden in my home in a place that is easily accessible in an emergency but isn't a place where a thief would look for something valuable. I also don't autosave user names and passwords.
     
  • mikebb

    Mouseketeer
    Joined
    Mar 27, 2015
    I keep track of my user names and passwords in a small, nondescript notebook that's similar to an old fashioned address book. I have it hidden in my home in a place that is easily accessible in an emergency but isn't a place where a thief would look for something valuable. I also don't autosave user names and passwords.
    While I understand the reluctance, there's nothing inherently wrong with auto-saving usernames and passwords. In fact, using a good password manager along with 2-factor authentication like Skywise noted above is better than writing down passwords on an insecure device. And it encourages using stronger passwords - using autofill to enter a password like "a203-Z?$adkelSS2b.32" which would only be used on one site is much more secure than using "Mickey1" on disney.com and "Mickey2" on Hulu.
     

    RogueX

    Earning My Ears
    Joined
    Aug 21, 2019
    We are in an imperfect world in the age of cybersecurity. I receive on a weekly basis one password or another for a retail site has been compromised. But that is nothing. My biometric data was stolen along with all of my identifying information, all because my work didn't encrypt any of it.
     

    adam.adbe

    DIS Veteran
    Joined
    Aug 17, 2015
    Apparently Disney hasn't read a cyber security book since 1992.
    That's hardly fair. Google and Amazon are also one password for everything. A lack of 2FA is a legitimate complaint, but the kinds of people who are reusing passwords across multiple sites (I.E. the people in this story) aren't likely to want to mess around with 2FA anyway.
     

    tcufrog

    DIS Veteran
    Joined
    Jul 18, 2012
    While I understand the reluctance, there's nothing inherently wrong with auto-saving usernames and passwords. In fact, using a good password manager along with 2-factor authentication like Skywise noted above is better than writing down passwords on an insecure device. And it encourages using stronger passwords - using autofill to enter a password like "a203-Z?$adkelSS2b.32" which would only be used on one site is much more secure than using "Mickey1" on disney.com and "Mickey2" on Hulu.
    While I agree that those are better than many people’s practices, I’ve seen too many supposedly impervious services and websites become compromised.
     

    mshanson3121

    DIS Veteran
    Joined
    Jan 16, 2015
    Well, it didn’t take Disney+ long to suffer IT issues did it. We all somewhat tolerate their abysmal IT, but to be competitive in the streaming world they need to get their act together & fast IMO, and pointing the finger elsewhere isn’t likely to go over well. Wonder if all of those new subscribers trying to contact them about being locked out of their accounts are being subjected to long waits on hold with never ending music sounding like it’s being broadcast underwater.
    This (big) issue aside, am I the only one who has noticed the errors in movie titles? Several movies are listed with completely wrong info, like Zootropolis instead of Zootopia.
     

    sponica

    DIS Veteran
    Joined
    Oct 16, 2017
    That's hardly fair. Google and Amazon are also one password for everything. A lack of 2FA is a legitimate complaint, but the kinds of people who are reusing passwords across multiple sites (I.E. the people in this story) aren't likely to want to mess around with 2FA anyway.
    I'm guilty of reusing passwords...although most of mine had to be reset if the account had ever been tied to my yahoo account

    I'd also hate to use 2FA every time I log into a disney product...but I also don't trust their IT to be able to handle it.
     

    Skywise

    DIS Veteran
    Joined
    Jul 24, 2013
    While I agree that those are better than many people’s practices, I’ve seen too many supposedly impervious services and websites become compromised.
    Cloud storage/sharing is always susceptible to third party hacking. Password managers in the cloud (like lastpass, 1password, etc) encrypt each password store individually even from themselves so if you ever lose your master password they can't retrieve your passwords either!
    That said it's STILL possible for hackers to get in and grab the encrypted file and then spend the resources and effort to decrypt it. But then it's not that hard for somebody to break a window or drill out the deadbolt lock on your door to get into your house either. It's a trade off of security/convenience.
    For instance there's another password manager out there called keepass which is NOT cloud based and keeps your passwords encrypted on your PC or a USB drive that you can move around from computer to computer. It's not in the cloud, which is good, and you can share it among your PCs/Laptops easily BUT... not so easily with your smartphone.
    Full disclosure - I work for a cloud company. While we can use lastpass to store corporate passwords we cannot use 2FA authentication apps on our smartphones that store in the cloud (like Authy) precisely because it's a potential security fault (we're supposedly following US Government guidelines so they do this too - but then my dad worked at a military base before he retired and kept his passwords to his PC written down on a post it note underneath his keyboard!
     


    Connect

    Disney News and Updates

    Get Daily Email Updates


    Top