Story image

Disney+: Is it safe to subscribe?

Users are being advised to follow best practice when it comes to online service platforms, in the wake of the launch of Disney+ into the market. 

"While the market has been largely speculative about Disney+ and Netflixs reign as the top OTT service provider, Disney+ seems to have fallen shortly behind with its subscribers recently falling victim to credential stuffing, a technique attackers use to steal passwords to gain access to accounts," explains John Shier, senior security advisor, Sophos.

"News reports have also said that thousands of hacked Disney+ accounts are already up for sale on hacking forums."

Shier says many Disney+ users are reporting that they have been locked out of their accounts. Disney+ has responded by saying they have no evidence of a breach. 

"Our experience suggests that this is likely the result of a credential stuffing attack, a phishing campaign against Disney+ users or the result of credential stealing malware on users' devices," he explains.

"Credential stuffing is when cybercriminals use leaked credentials from one website which could already be for sale on the dark web and try those same credentials on other online services," says Shier. 

"This breach is a prime example of the importance of having unique passwords across all of your online services. 

"As we've seen time and time again, cybercriminals are just as lazy as the rest of us. If they can get away with using a persons previously compromised passwords across different services, that will be their default," he says.

"Excitement has been building for Disney+ and while it's in limited release, people will seek out alternative means to use the platform, even if that includes using someone else's password," Shier says. 

"It also means that cybercriminals would likely take this opportunity to send out Disney+ phishing campaigns to net as many victims as possible and cash in on the hype. 

"Opportunistic cybercriminals deploying credential stealing malware may be identifying Disney+ accounts in their collected data and offering them for sale separately because of the buzz associated with this new platform," he explains.

Unfortunately, says Shier, the Disney+ platform does not appear to offer any kind of multi-factor authentication, which would thwart these kinds of attacks against online services.

Whatever the root cause, Shier says users of online services should incorporate these tips into their everyday cybersecurity practices:

  • Dont reuse passwords, as old breaches can come back to haunt you when cybercriminals use passwords from past breaches
  • Provide as little personally identifiable information online as possible
  • All services, such as Disney+, should offer multi-factor authentication to ensure that passwords are protected and not the only means of defence.
Story image
27 Nov
Interview: Microsoft's Diana Kelley talks talent gaps and D&I
Kelley recently spoke at Microsoft Asia’s new Experience Center, where she talked through her experience as a security CTO, as well as IoT security, what’s ahead in 2020, and diversity and inclusion both in the cybersecurity sector, and in technology.More
Story image
Today
FireEye rolls out threat intelligence platform for industrial systems
Now industrial control systems (ICS), operational technology (OT), internet of things devices, and other equipment used to manage interconnected physical processes, can be secured from cyber threats.More
Story image
15 Nov
Google Cloud sets sights on network intelligence automation
Google Cloud’s new network intelligence platform could potentially automate thousands of networking jobs and speed up cloud migrations to new levels of efficiency.More
Story image
Yesterday
Forecast: Ecosystm’s top 6 cybersecurity trends for 2020
Increasing use of cloud platforms and mobile devices, coupled with data sharing and a rise in online commerce, means businesses and their customers have never been more exposed to cyber threats.More
Story image
28 Nov
IDC names Trend Micro number one vendor for SDC security
The new independent report: Worldwide Software Defined Compute Workload Security Market Shares, 2018 revealed Trend Micro achieved a market share lead of 35.5%, almost triple its nearest competitor in 2018.More
Story image
06 Dec
Sophos launches threat intelligence & analysis platform for developers
Sophos’ cloud-based threat intelligence and analysis platform is now available to those who are building applications.More