sb-nz logo
Story image

Disney+: Is it safe to subscribe?

Users are being advised to follow best practice when it comes to online service platforms, in the wake of the launch of Disney+ into the market. 

"While the market has been largely speculative about Disney+ and Netflixs reign as the top OTT service provider, Disney+ seems to have fallen shortly behind with its subscribers recently falling victim to credential stuffing, a technique attackers use to steal passwords to gain access to accounts," explains John Shier, senior security advisor, Sophos.

"News reports have also said that thousands of hacked Disney+ accounts are already up for sale on hacking forums."

Shier says many Disney+ users are reporting that they have been locked out of their accounts. Disney+ has responded by saying they have no evidence of a breach. 

"Our experience suggests that this is likely the result of a credential stuffing attack, a phishing campaign against Disney+ users or the result of credential stealing malware on users' devices," he explains.

"Credential stuffing is when cybercriminals use leaked credentials from one website which could already be for sale on the dark web and try those same credentials on other online services," says Shier. 

"This breach is a prime example of the importance of having unique passwords across all of your online services. 

"As we've seen time and time again, cybercriminals are just as lazy as the rest of us. If they can get away with using a persons previously compromised passwords across different services, that will be their default," he says.

"Excitement has been building for Disney+ and while it's in limited release, people will seek out alternative means to use the platform, even if that includes using someone else's password," Shier says. 

"It also means that cybercriminals would likely take this opportunity to send out Disney+ phishing campaigns to net as many victims as possible and cash in on the hype. 

"Opportunistic cybercriminals deploying credential stealing malware may be identifying Disney+ accounts in their collected data and offering them for sale separately because of the buzz associated with this new platform," he explains.

Unfortunately, says Shier, the Disney+ platform does not appear to offer any kind of multi-factor authentication, which would thwart these kinds of attacks against online services.

Whatever the root cause, Shier says users of online services should incorporate these tips into their everyday cybersecurity practices:

  • Dont reuse passwords, as old breaches can come back to haunt you when cybercriminals use passwords from past breaches
  • Provide as little personally identifiable information online as possible
  • All services, such as Disney+, should offer multi-factor authentication to ensure that passwords are protected and not the only means of defence.
Story image
Video: 10 Minute IT Jams - Who is Okta?
Okta is an identity and access management company, specialising in secure user authentication. It's an enterprise-grade identity management service, built for the cloud, but compatible with many on-premises applications.More
Story image
Almost a third of malware threats previously unknown - HP report
A new report has found 29% of malware captured was previously unknown due to the widespread use of packers and obfuscation techniques by attackers seeking to evade detection. More
Story image
Hackers offering forged “official” COVID vaccination certificates and negative test results on dark net 
There has been a 350% increase in the number of advertisements selling alleged COVID vaccines within the last three months.More
Story image
AvePoint brings Salesforce Cloud Backup to channel partners
The product adds to the AvePoint suite of trusted Cloud Backup for Microsoft 365 and Dynamics 365 to provide managed service providers with backup and restore capabilities across multiple, popular SaaS providers.More
Story image
O365 a weak point ripe for exploit, say security professionals
71% of more than 1,000 security professionals have been on the receiving end of a Microsoft 365 account takeover, on average, seven times in the last year alone.More
Story image
Pandemic sees organisations of all sizes and industries invest in CTI
There is opportunity for organisations to better manage their cyber-threat intelligence for greater security and threat intelligence effectiveness by adopting the right tools and processes.More