Whether or not it has a real (systemic) hacking problem with Disney+ — which it has denied — Disney at minimum now has a PR problem with its much-ballyhooed and by all indicators much-in-demand new streaming service.
The glitches that Disney+ experienced during its Nov. 12 launch day — including both streaming and log-in problems — were widely reported. Disney said the problems were a result of demand that “exceeded [its] highest expectations,” and it appeared they were resolved expeditiously.
However, over this past weekend, ZDNet reported that a smaller stream of users reported losing access to their accounts — problems that were shared on social media.
“Many users reported that hackers were accessing their accounts, logging them out of all devices, and then changing the account's email and password, effectively taking over the account and locking the previous owner out,” wrote Catalin Cimpanu, a ZDNet security reporter.
ZDNet subsequently investigated the complaints. While some users admitted that they had made the dangerous mistake of reusing passwords, others stated online that they had created unique passwords for Disney+.
“This suggests that in
some cases hackers gained access to accounts by using email and password combos leaked at other sites, while in other cases the Disney+ credentials might have been obtained from users infected with
keylogging or info-stealing malware,” wrote Cimpanu.
Perhaps worse, from a perception standpoint, ZDNet reported that “thousands” of hijacked Disney+ account credentials were for sale on hacker forums, for prices ranging from $3 to $11, within hours after Disney+ launched. (ZDNet’s article includes screen captures of some of these ads, as well as of complaint posts on social media.)
However, the site also reports that it found several lists of Disney+ credentials being offered free on forums for sharing by the hacker community, that Disney+ “allows account sharing,” and that some of the users attached to the up-for-grabs credentials confirmed that the credentials were theirs, and still active.
While Disney had not replied to ZDNet by the time it posted on Nov. 16, the company has since issued a statement to other press, emphasizing that the company “takes the privacy and security of our users’ data very seriously and there is no indication of a security breach on Disney+.”
Yesterday, the BBC reported that with the help of a
cybersecurity researcher, it had “also found several hacked customer accounts for sale on the dark web. "Thousands of these stolen accounts show what kind of subscription the person signed up
with and when it expires. Customers say they saw their emails and passwords changed.”
Like ZDNet, however, the BBC reported that while many affected users said that they used unique user IDs and passwords for Disney+, experts said it “looked like many” were stolen as a result of passwords stolen from other hacked sites that had been reused on Disney+.
Disney advised those who think their accounts were compromised to contact its customer service. But according to these reports and social media complaints, many are still locked out of their accounts.
“People waited on telephone and online chat lines for hours, and many still say that Disney has yet to sort their problems,” according to the BBC. And as of yesterday, when Gizmodo called the customer service number, an automated message said the expected wait time was “greater than 60 minutes.”
Even Disney doesn’t need that kind of bad word-of-mouth. Regardless of how alluring Disney+ may be, and even if this problem is due in part or mostly to users reusing passwords, an unknown number of people are now going to be afraid to sign up for the new service — and even, potentially, for other streaming services.
In fact, importantly, affected Disney+ subscribers are by no means alone. It’s common to see credentials for sale on the dark web, according to tech media reports.
And let’s face it: Unless sites crack down, reusing passwords will be a bigger temptation than ever as more people subscribe to multiple streaming services.
So what’s the answer? AndroidCentral may have summarized it best, noting that both poor user password “hygiene” and the practices of Disney and other sites are at fault.
Like many/most streaming services, Disney+ doesn’t have two-factor authentication, and its apparent willingness to tolerate password sharing (at least at the moment) is also potentially problematic, writes AndroidCentral’s Phil Nickinson.
Both practices are common among streaming services, which don’t want to alienate customers with awkward processes or cracking down on “casual” password sharing (although, as he points out, that may be changing).
Nickinson points out that, assuming Disney doesn’t want to institute two-factor authentication or crack down on password sharing, it (and others) could still implement a system “where you can only be logged in to one device at a time to watch [the service]” or “geo-lock things to a small area — though that would require Disney to know where you are with a good degree of accuracy, and that's not a great thing for privacy.” Another option might be reducing risk by reducing the number of profiles allowed on a single account (seven on Disney+, currently).
Consumers themselves need to use password managers consistently, and ideally also check out the free service Have I Been Pwned to see whether their data has been breached.
On the other hand, Disney and other streamers could also be proactively checking APIs to see whether a user is trying to sign up with an email/password that is already compromised, he adds.
In short, it looks like the complications created by the streaming wars will not be limited to inter-company competition.
And the companies involved should take this as a proverbial canary in a coal mine, because ticked-off subscribers aren’t going to help them or the nascent industry as a whole.