sb-eu logo
Story image

Disney+: Is it safe to subscribe?

Users are being advised to follow best practice when it comes to online service platforms, in the wake of the launch of Disney+ into the market. 

"While the market has been largely speculative about Disney+ and Netflixs reign as the top OTT service provider, Disney+ seems to have fallen shortly behind with its subscribers recently falling victim to credential stuffing, a technique attackers use to steal passwords to gain access to accounts," explains John Shier, senior security advisor, Sophos.

"News reports have also said that thousands of hacked Disney+ accounts are already up for sale on hacking forums."

Shier says many Disney+ users are reporting that they have been locked out of their accounts. Disney+ has responded by saying they have no evidence of a breach. 

"Our experience suggests that this is likely the result of a credential stuffing attack, a phishing campaign against Disney+ users or the result of credential stealing malware on users' devices," he explains.

"Credential stuffing is when cybercriminals use leaked credentials from one website which could already be for sale on the dark web and try those same credentials on other online services," says Shier. 

"This breach is a prime example of the importance of having unique passwords across all of your online services. 

"As we've seen time and time again, cybercriminals are just as lazy as the rest of us. If they can get away with using a persons previously compromised passwords across different services, that will be their default," he says.

"Excitement has been building for Disney+ and while it's in limited release, people will seek out alternative means to use the platform, even if that includes using someone else's password," Shier says. 

"It also means that cybercriminals would likely take this opportunity to send out Disney+ phishing campaigns to net as many victims as possible and cash in on the hype. 

"Opportunistic cybercriminals deploying credential stealing malware may be identifying Disney+ accounts in their collected data and offering them for sale separately because of the buzz associated with this new platform," he explains.

Unfortunately, says Shier, the Disney+ platform does not appear to offer any kind of multi-factor authentication, which would thwart these kinds of attacks against online services.

Whatever the root cause, Shier says users of online services should incorporate these tips into their everyday cybersecurity practices:

  • Dont reuse passwords, as old breaches can come back to haunt you when cybercriminals use passwords from past breaches
  • Provide as little personally identifiable information online as possible
  • All services, such as Disney+, should offer multi-factor authentication to ensure that passwords are protected and not the only means of defence.
Story image
Okta, CrowdStrike, Netskope and Proofpoint create shared zero trust security strategy
Okta, CrowdStrike, Netskope and Proofpoint have joined forces to develop and launch an integrated, zero trust security strategy, stating that this is crucial for today’s digital and remote working environments.More
Story image
Cybersecurity spending slumps - but swift recovery expected
New research from GlobalData found that the industry will recover after this initial slump to be worth almost US$238 billion by 2030.More
Story image
Trend Micro ranks number one in Global Hybrid Cloud Security - IDC 
The cloud security firm enjoyed a market share of 29.5% last year, three times that of the number two vendor.More
Story image
Top 10 riskiest IoT devices for enterprises, according to Forescout
IoT devices can become attack vectors for hackers to gain access to enterprise networks, and recent Forescout research shows businesses need to be aware of this and put adequate security measures in place.More
Story image
Gartner recognises Pulse Secure for Zero Trust Network Access solution
In the market guide, Gartner states that ZTNA augments traditional VPN technologies for application access, and removes the excessive trust once required to allow employees and partners to connect and collaborate. More
Story image
ESET uncovers chat app malware spying and stealing user's data
The Welcome Chat espionage app belongs to a known Android malware family and shares infrastructure with a previously documented espionage campaign named BadPatch, which also targeted the Middle East.More