After overcoming a temporary buckling of its sign-up system on launch day, Disney+ is dealing with another issue in the early going -- complaints from some customers that their accounts have been hacked alongside evidence that Disney+ credentials are being sold on the dark web for cents on the dollar.
According to a ZDNet investigation, "thousands" of Disney+ accounts have been hacked recently, alongside evidence that service credentials are being offered for free or as low as $3 via the dark web.
Per the report, those users claim that hackers accessed their accounts, logged them out of all their authorized streaming devices and then changed the email and password of those subscriptions -- essentially locking them out of the Disney+ service -- before putting those credentials up for sale. Meanwhile, some Disney+ customers who fell prey to this hacking complained that they've had trouble getting a rapid response or remedy from Disney's customer service unit.
"Disney takes the privacy and security of our users' data very seriously and there is no indication of a security breach on Disney+," a Disney spokesperson said in an emailed statement.
Disney's systems are designed to notice suspicious login activity on a customer's account. When that happens, the company, as a precaution, will lock the account and request a password reset.
While it's not entirely clear what's occurring in every hacking instance, Disney, which launched Disney+ on November 12, said a security breach of the service itself or any of Disney's platforms is not to blame. It's most likely that the issue stems from unauthorized people re-using a customer's email and password combinations gathered during previous security incidents impacting other companies.
Jason Hill, a researcher at CyberInt, told the BBC that it appears many of the Disney+ accounts were compromised because some customers use the same passwords for different online accounts. If a hacker has access to an email and password that is used across multiple accounts, the same credentials could be used to gain access to Disney+ and other streaming service accounts and wreak havoc. Hill suggested that consumers use password managers that provide unique sign-ons without making the process overly complicated or cumbersome.
Although ZDNet claims that hackers have compromised thousands of Disney+ accounts, it's affecting a small number of the entire user base. On Wednesday, the day after Disney+ debuted in the US, Canada and the Netherlands, the company said the service had already eclipsed 10 million subscribers.
Crackdown on digital piracy and password-sharing
But a focus by hackers on Disney+ shines some additional light on a piracy issue that will only grow in importance as Disney and other programmers and media giants develop and launch direct-to-consumer streaming services. While video security used to be the primary domain of cable operators and other pay-TV providers, the burden will increasingly fall upon companies like Disney as well.
Disney is among those already taking some steps in this direction. As part of its new distribution deal with Charter Communications, Disney agreed to collaborate with Charter on "piracy mitigation" that will include clamping down on password-sharing and other issues involving unauthorized access to streaming services.
Meanwhile, The Alliance for Creativity and Entertainment (ACE), a legal consortium that counts Disney and other major studios and distributors among its members, recently launched an effort that takes aim at password-sharing and unauthorized access by sharing information and the use of best practices.
- Despite Early Glitch, Disney+ Streams Past 10M Subs
- ACE to Crack Down on Password Sharing
- Charter Seeks Buy-In for Piracy Plan
- Synacor Tackles TV Everywhere Password Abuse
- Synamedia Turns 'Casual' Password Sharing Into Revenue Stream
— Jeff Baumgartner, Senior Editor, Light Reading