For sale: Disney + account, barely used. Within hours of the streaming service's blatant rollout last week, hackers commanded user accounts: ejecting owners, changing login credentials and, in many cases, getting them for as little as $ 3 (about Rs. 215) Selling at a price of Rs, revealed in a ZDNet investigation.
The Disney + server crashed in early November 12, which the company attributed to extraordinary demand for its library of Disney television shows and movies, including the Marvel and Star Wars franchises and Pixar favorites such Toy Story films; The service racked up over 10 million customers in the first 24 hours. Now, scores of users online are complaining that they have lost access to their accounts. Several reports have been waiting for customer support from Disney to spend hours in telephone and chat queues, to no avail.
"Disney takes the privacy and security of our users' data seriously and there is no indication of a security breach at Disney +," the company said in a statement to The Washington Post.
ZDNet found that compromised accounts are cropping up in hacking forums across the Internet, selling for $ 3 to $ 11. A Disney + subscription costs $ 7 (approximately Rs. 500) per month. In some hacking forums, ZDNet offered Disney + credentials for free. The BBC also revealed several hacked accounts for online sales.
"It's no surprise that cyber-banders jump on the same bandwagon like everyone else, when a big new consumer launches," HackerOne's technical program manager Niels Schweeshelm wrote on Tuesday morning, adding that this research was aimed at all consumers. Should serve as a reminder. To secure online accounts with strong, complex passwords. "
Some users told ZDNet that they reused passwords, making them vulnerable to credential stuffing, where hackers use login combinations sparked by security breaches from other companies or websites. But many users on social media reported being hacked despite having a unique password.
This problem is not unique to Disney. Amazon Prime, Hulu, and Netflix have long faced similar struggles to hack or hack away hackers' online accounts. (Amazon CEO Jeff Bezos owns The Post.) Uber dealt with some account theft last year, where consumers saw charges on their accounts for rides hundreds of miles away. Experts said it was likely that credentials were stolen in 2016 during a security breach Uber, which the company had hidden for more than a year.
Like most streaming services, Disney + allows password sharing, which means that an account can be accessed from different devices in different locations, even remotely. Disney + also does not have multi-factor authentication, which would require someone to confirm their identity beyond the standard login and password before successfully signing in to the account. Multi-factor authentication often includes an additional security question or a code sent to a user's email or phone.
"MFA does not guarantee that only the authorized user is actually using the service, but it only helps to slow down or reduce the likelihood of bad actors gaining access with a user ID and password credentials," Jonathan Deveraux, Head of Enterprise Security for Comfort. AG, wrote this morning. "If this is the case with reports of hacked Disney + accounts, Disney did nothing wrong per segment, but they could have opted to look at their security posture by upgrading their authentication program.
Currently, Disney + has launched in a handful of countries, including the United States and Canada. A new entry to the increasingly crowded streaming landscape, Disney's streaming service claims exclusive access to franchises like Star Wars and Marvel, and to Disney's own shows and movies.
 |
| Disney+ Accounts Hacked and Sold in Their Thousands, Locking Out Owners |
The Disney + server crashed in early November 12, which the company attributed to extraordinary demand for its library of Disney television shows and movies, including the Marvel and Star Wars franchises and Pixar favorites such Toy Story films; The service racked up over 10 million customers in the first 24 hours. Now, scores of users online are complaining that they have lost access to their accounts. Several reports have been waiting for customer support from Disney to spend hours in telephone and chat queues, to no avail.
"Disney takes the privacy and security of our users' data seriously and there is no indication of a security breach at Disney +," the company said in a statement to The Washington Post.
ZDNet found that compromised accounts are cropping up in hacking forums across the Internet, selling for $ 3 to $ 11. A Disney + subscription costs $ 7 (approximately Rs. 500) per month. In some hacking forums, ZDNet offered Disney + credentials for free. The BBC also revealed several hacked accounts for online sales.
"It's no surprise that cyber-banders jump on the same bandwagon like everyone else, when a big new consumer launches," HackerOne's technical program manager Niels Schweeshelm wrote on Tuesday morning, adding that this research was aimed at all consumers. Should serve as a reminder. To secure online accounts with strong, complex passwords. "
Some users told ZDNet that they reused passwords, making them vulnerable to credential stuffing, where hackers use login combinations sparked by security breaches from other companies or websites. But many users on social media reported being hacked despite having a unique password.
This problem is not unique to Disney. Amazon Prime, Hulu, and Netflix have long faced similar struggles to hack or hack away hackers' online accounts. (Amazon CEO Jeff Bezos owns The Post.) Uber dealt with some account theft last year, where consumers saw charges on their accounts for rides hundreds of miles away. Experts said it was likely that credentials were stolen in 2016 during a security breach Uber, which the company had hidden for more than a year.
Like most streaming services, Disney + allows password sharing, which means that an account can be accessed from different devices in different locations, even remotely. Disney + also does not have multi-factor authentication, which would require someone to confirm their identity beyond the standard login and password before successfully signing in to the account. Multi-factor authentication often includes an additional security question or a code sent to a user's email or phone.
"MFA does not guarantee that only the authorized user is actually using the service, but it only helps to slow down or reduce the likelihood of bad actors gaining access with a user ID and password credentials," Jonathan Deveraux, Head of Enterprise Security for Comfort. AG, wrote this morning. "If this is the case with reports of hacked Disney + accounts, Disney did nothing wrong per segment, but they could have opted to look at their security posture by upgrading their authentication program.
Currently, Disney + has launched in a handful of countries, including the United States and Canada. A new entry to the increasingly crowded streaming landscape, Disney's streaming service claims exclusive access to franchises like Star Wars and Marvel, and to Disney's own shows and movies.
0 Comments
Post a Comment