With the recent launch of Disney Plus, attackers wasted no time with hacking into thousands of user accounts. The video-on-demand streaming service was first announced in April 2019. It launched in three countries – the US, Canada, and the Netherlands, on November 12, 2019. Within a few hours of this grand launch, compromised accounts of Disney Plus were available on online forums for free, as well as a minimal amount of $3, as per ZDNet investigators.
The service crossed the mark of 10 million subscribers within its first 24 hours. After this, numerous users were unable to stream their favorite videos due to technical issues. Many users reported that their accounts had been hacked, and they were being logged out from their devices. They also faced account hijacking, where their account’s login credentials were changed, leaving them locked out. Users took the incident to several social media platforms and online forums as Twitter and Reddit were flooded with complaints.
The cause behind the Disney Plus breach is still unknown
During the investigation, two of the users admitted that they reused their existing passwords, while other users claimed to have set a unique password for their Disney Plus accounts. Both scenarios suggest two different hacking techniques. For the former case, cybercriminals could have used passwords leaked from other websites, while in the latter case, credentials could have been stolen using malicious software. The stolen accounts either witnessed the alteration of their login credentials or have their credentials up on the dark web.
Considering all cases, it could be a simple credential stuffing campaign. Disney is yet to release an official statement on the incident. Apart from the speculations, the official cause of account hijacking is still unknown.
What is account hijacking?
Account hijacking is a cybercriminal gaining unauthorized access to an individual’s email or computer system. It is a form of identity theft. As a consequence, the hijacked account can be used to conduct malicious activities.
Monetizing Hijacked Accounts of Disney Plus
The perpetrators put up the stolen accounts for sale within a few hours of Disney Plus launch. The prices of these credentials vary from $3 to $11, while the original subscription for Disney Plus is $7.
How do cybercriminals monetize stolen data?
Cyber attackers are now more advanced than ever before. Here are the 5 ways that cybercriminals can monetize the stolen data –
- Creating a database of the stolen data: It can be used for future attacks.
- Selling it online for monetary benefits: It is usually sold on the black market of the Internet.
- Segregating beneficial accounts: Cybercriminals separate lucrative accounts from the rest of the list, deciding which of them can make the most money.
- Performing malicious activities using stolen accounts: Perpetrators can use the stolen identities to file fraudulent tax returns to receive tax rebates from the IRS.
- Filing for false medical claims: In this case, elderly and senior citizens are high priority targets.
What can Disney Plus account holders do?
Disney Plus account holders are advised to set up unique login credentials for their accounts. This method cannot protect potential targets from account hijacking but can secure accounts against brute-force attacks.
How to prevent account hijacking?
After the account has been hijacked, dealing with its consequences can be a challenge, thus, making prevention a better cure.
1. Keep all software updated
Updated software is less likely to fall prey to the malicious intent of cybercriminals. The frequently released patches fix existing bugs, in turn, improving the overall performance. It can also protect your data from numerous known-unknown malware. Having applications and software on auto-update mode is the best way to stay protected from unexpected cyberattacks.
2. Enable multi-factor authentication
Multi-factor authentication is a reliable method to stop black hats from gaining unauthorized access to private accounts. The most common form of this method is two-factor authentication, where a temporary code, i.e., an OTP (One-time Password) is generated to log in, using an unidentified device. This process takes a few extra seconds to access the account, but it is a guaranteed solution against account hijacking.
3. Use a password manager
The password manager offers its users the liberty to generate a complex, unique password and a secure space to store it. It generates unpredictable or random passwords, making it difficult to hack.
In line with the Disney Plus beach, several phishing campaigns have been generated, sending fake emails addressing Disney Plus subscribers. It is not known whether the included links redirect its targets to a phishing page or download malware on the system. View more information on phishing here.
2019, December 20. Disney Plus Accounts Hacked Within Hours of its Most-Awaited Launch. Here’s How. EC-Council Blog.