There are claims that the much heralded launch of Disney’s new streaming service Disney+ has been hacked within hours of going live. According to a Disney press release, over 10 million people signed up for the service in its first day. Many of those were pre-launch customers who had ordered the service in advance. Given the pre-launch hype, there was always going to be pressure on Disney to see how it would cope. The answer to that seems to be badly.
With a couple of hours, users were complaining on social media of long waits and problems accessing customer services. In addition to not getting access to the service, there are also complaints about the lack of shows available.
While Disney was struggling to add customers, hackers were not. They were able to steal customer credentials and offer them for sale on the Dark Web.
The story was first reported by ZDNet, then confirmed by the BBC and several other sources. In most of the reported cases, investigators had no problem finding hacked accounts available for sale. The cybercriminals did more than just steal credentials. Users were logged out of devices and their passwords changed. With customers unable to get through to customer services, this left many upset and angry.
Disney claims customers are to blame for hacking
Disney has responded to the claims of the service being hacked. It put out a statement saying: “
Disney takes the privacy and security of our users’ data very seriously and there is no indication of a security breach on Disney+“.
[Disney has provided Enterprise Times with an updated statement.] “We have found no evidence of a security breach. Billions of usernames and passwords leaked from previous breaches at other companies, pre-dating the launch of Disney+, are being sold on the web. We continuously audit our security systems and when we find an attempted suspicious login we proactively lock the associated user account and direct the user to select a new password. We have seen a very small percentage of users in this situation and encourage any users who are having these kind of issues to reach out to our customer support so we can help them.”
The speed of the Disney response raises questions. It has all the hallmarks of a knee jerk reaction to the news. It is rare for any organisation to complete a forensic verification of its systems so quickly. Will there be a second statement giving more details later?
Having said it is not at fault, Disney is also pushing back at those who have been hacked. The only viable explanation for so many customers being hacked is reuse of usernames and passwords from other services. Cybercriminals maintain lists of user credentials from other breaches. It is not unusual for them to use those in a brute force attack to gain access to Disney services. However, such an attack should have been evident to Disney through its security logs.
Another explanation is a much more sophisticated attack. Hacker may have been monitoring social media to see who was talking about Disney+, especially if they were having problems with customer support. They could then have tied social media accounts to other stolen credentials and tried to break into accounts that way.
Given the timescale, and the lack of evidence, it is unlikely that this was caused by phishing attacks. The time between the service going live and the hacks isn’t enough to support any such campaign.
What is the impact of this breach?
There are a several potential impacts of this breach. The first is that affected customer will lose any trust with Disney. The question is whether that is enough customers to create a reputational risk for Disney.
Another risk here is the way that Disney has allowed accounts to be linked. A customer can user their Disney+ accounts to access a number of different Disney services. The most important of these for many customers will be vacation parks. With Christmas coming up, many parents will have booked holidays. If any of them have been hacked, they will be worried that the holiday could be cancelled or changed.
A bigger issue for Disney, and one with a lasting impact, is the use of those accounts to stream, pirate and then post Disney shows to torrent services. There is a lot of content already available, some of it new. This is a prime target for cybercriminals. They can use stolen material as the basis for malware campaigns.
Chris Boyd, Lead Malware Analyst at Malwarebytes Comments: “Bogus streaming links offering the latest shows but actually giving nothing but fake surveys and malware downloads spike whenever a new show launches, but an entire channel was always going to increase the target area. Staggering rollout will only make the problem worse, and the various technical hitches suffered during the Disney+ rollout has meant strong interest in torrents even in areas the service is available.
“Disney will never be able to take down every torrent, every real or fake stream, or every website promising episodes in return for filling in some surveys, so they should consider keeping their users safe via dedicated security pages which explain the privacy risks of untrusted websites and files.”
Enterprise Times: What does this mean?
Given Disney’s existing online presence and properties, it is a surprise it was as unprepared for the problems it has encountered. It would have known from the pre-orders how many customers were going to want to logon on day one. As such, being able to scale quickly to satisfy demand should have been a key part of their planning.
The same is true of hacking attacks. It really doesn’t matter who is at fault. The immediate response to blame the victims is not what customers would have expected. Disney will now have to prove that it was not at fault and do so quickly. Using a third-party forensics team to establish what happened is a must. So is finding some way to help those customers regain access to their accounts.
Moving forward, Disney also needs to explain why there is no multi-factor authentication on user accounts. This is about as basic as it comes for any online service. It suggests either a rushed deployment or a failure to understand the importance of multi-factor.
It might be that the IT department have spent too much time watching Disney movies. Maybe they were hoping for a Disney Cybersecurity Princesses who could save them when things went wrong. The Princesses saved the day in Ralph Breaks The Internet so why not have them save Disney+?