According to the hackers have recently hijacked thousands of users account data of Disney+ and put them up for sale on the dark web. ZDNet discovered several listings for Disney+ accounts on different underground hacking forums, selling for somewhere between $3 and $5 (Rs 210 and Rs 350 approx)
“Many users reported that hackers were accessing their accounts, logging them out of all devices, and then changing the account’s email and password, effectively taking over the account and locking the previous owner out,” said the report.
In some cases, hackers gained access to accounts by using email and password combos leaked at other sites, while in other cases the Disney+ credentials might have been obtained from users infected with key logging or info-stealing malware.
Researchers asked Disney+ to help users by rolling out support for multi-factor authentication and prevent more attacks.
Security experts are calling this is a credential stuffing attack, which, as explained by John Shier, senior security advisor, Sophos means the following.
Shier said: “Credential stuffing is when cybercriminals use leaked credentials from one website – which could already be for sale on the dark web – and try those same credentials on other online services. As we’ve seen time and time again, cybercriminals are just as lazy as the rest of us. If they can get away with using a person’s previously compromised passwords across different services, that will be their default.”
On the very first day of release, Disney+ users collectively spent 1.3 million hours streaming and watching the content available to them on the platform. The service was launched in the US for $6.99 per month or $69 per year.