Thousands of Disney+ Accounts already sold on hacking forums, days after launch

Much anticipated video streaming service Disney+ launched just days ago, and thousands of hacked accounts are already for sale on the Dark Web.

Hours after launch, Disney+ accounts were already being sold on hacking forums for as much as $11, ZDNet’s Catalin Cimpanu reports. Prices range from $3 to $11, and some accounts are even offered for free and are intended to be shared between multiple people.

Shorty after launch, numerous Disney+ users were locked out of their accounts, their emails and passwords changed. By removing all devices from the account and changing login credentials, hackers are able to completely take over an account. According to ZDNet, prices for these hacked accounts range from $3 to $11. Disney+ costs $7/month but users can buy yearly subscriptions for $70, so the more expensive hacked accounts are likely accounts that have a year’s or more worth of subscription.

Disney+ accounts being for sale is not unexpected. What is surprising is how hackers wasted no time in taking over accounts and putting them up for sale. You can find plenty of Netflix, HBO, Amazon Prime, etc., login credentials being sold, but those streaming services have been around for years, while Disney+ has been available for only a couple of days. And reports state that hacked Disney+ accounts were on sale mere hours after launch.

Disney has not commented on the situation or how accounts were hacked, but it’s likely safe to guess that at least some of the accounts were accessed by hackers because of weak/re-used passwords. One thing to note is that Disney+ does not have two-factor-authentication (2FA). 2FA can go a long way towards preventing hackers from accessing accounts, even if they have the login credentials.

Password re-use is often the reason accounts get hacked

One of the most important rules of security, and one many users like to ignore, is to not re-use passwords. This is emphasized in every report about hacks, every article about being safe online and protecting your accounts, etc., but the advice is disregarded by many users.

It’s not difficult to understand why users re-use passwords, seeing how convenient that is. However, while users may find it easiest to do that, password re-use is a great security risk. But why is re-using passwords such an issue?

If you use the same password for many different accounts, if one of those accounts gets hacked, cyber crooks would then technically be able to access every single account with that password. There are special brute-forcing tools, which automatically try combinations of passwords and usernames (obtained from data dumps) to try to gain entry to accounts. Those tools have databases containing millions of passwords, and if you use a basic password the chances are, it’s part of one of those databases.

Hackers are also able to gain access to users accounts via malware. There are numerous posts on Twitter about Disney+ accounts being hacked, despite owners having strong non-reused passwords. If users have a keylogger installed on their computers, the program could easily record passwords for Disney+ and then access accounts. Keyloggers are pretty silent infections and stay in the background harvesting passwords. It would be difficult to notice one installed without anti-malware software, and many users do not have such tools protecting their devices.

Having good security habits goes a long way towards keeping you safe online. You should have a unique password for every important account, and they shouldn’t be something basic either. Passwords should be complex, contain both uppercase and lowercase letters, numbers and symbols, as well as make little sense to anyone but you. The more complex it is, the harder it will be for it to be hacked. If you have many different accounts and want a safe way to store passwords, consider using a password manager. Those programs not only store passwords in a secure way but also generate them.