Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Security Privacy The Internet

Disney+ Fans Without Answers After Thousands Hacked (bbc.com) 46

Posted by BeauHD from the crickets-chirping dept.
Many Disney+ users who have had their accounts stolen and put up for sale on the dark web say that Disney has yet to sort their problems. The firm says it does not believe its systems have been compromised, suggesting that members' details have been stolen by other means. The BBC reports: On November 12, its first day live, people had technical problems and many complained on social media. Others said they were locked out of their accounts, and since they contacted Disney they have not heard back. According to an investigation by ZDNet, thousands of user accounts went on sale on the dark web. Only hours after the service launched, hackers were selling Disney+ accounts for as little as $3. A subscription to the service costs $7 a month. With the help of a cyber-security researcher, the BBC also found several hacked customer accounts for sale on the dark web.

Many say they used unique userIDs and passwords to access the streaming platform. But Jason Hill, a lead researcher with CyberInt, says it looks like many were stolen because people use the same passwords for different sites. Mr Hill said that hackers can lift someone's password from a different site which has previously been hacked and then try it on a new site, like Disney+. If it works, they steal the account. The streaming service does not have two-factor authentication. Others are concerned because they can use their Disney+ login to access other products the company provides, like the Disney store and its recreation parks.
This discussion has been archived. No new comments can be posted.

Disney+ Fans Without Answers After Thousands Hacked More

Disney+ Fans Without Answers After Thousands Hacked

Comments Filter:

  • Phishing (Score:5, Informative)

    by srwood ( 99488 ) on Tuesday November 19, 2019 @08:23PM (#59433280)

    I received an email phishing attempt within 24 hours of signing up. Appeared to be from Disney stating my account was locked and to reset my password though a link in the email.

    • You may be right. I get emails from Netfilx pretty regularly telling me the same thing.
      It could also be because everything Disney touches turns to shit though.

      • I used to get e-mail from NetFlix. However the third-party e-mail service that NetFlix uses has been blacklisted for sending spam, so I haven't seen valid e-mail from NetFlix in quite a while. Goodly amount of NetFlix phishing and other spam though that is not from NetFlix.

        NetFlix, of course, accuses ME of having an "invalid e-mail address" which is clearly ludicrous -- they simply do not understand how computers work. I tried to explain it to them but every one working at NetFlix appears to fall into th

        • My emails are from netfilx. The fact you missed the tiny typo makes me think they are going to be successful with that particular scam.
      • Ah yes, The Midass Touch. :-P

  • This is simply a "branding" problem (Score:5, Funny)

    by mandark1967 ( 630856 ) on Tuesday November 19, 2019 @08:27PM (#59433300) Homepage Journal
    All they need to do is rename it from "Disney+" to "Disney+Hacked!"

    Modern Problems require Modern Solutions

  • The Magic Kingdom has a bit too much magic.

  • Many say they used unique userIDs and passwords to access the streaming platform

    They're lying.

    • Re: (Score:3)

      by Zuriel ( 1760072 )
      They might be lying, but everyone using a password manager would have used a Disney+ password like "WcMstuQtVmwb57Dym", and yeah, you can be confident that wasn't guessed.
      • Depends on the PW managers strategy from selecting randomly.

        It really can be quite bad.. for instance seeding a generator with the seconds since midnight.

      • Most password managers are nothing more than sticky notes. Except instead of posting the sticky note on the monitor in your living room where only those people physically located in your house can read it, they post the sticky note on the Internet where everyone and their mother can read it.

  • The Vault is Wide Open! (Score:3, Funny)

    by jamezzz ( 459886 ) on Tuesday November 19, 2019 @08:53PM (#59433400)

    I guess Disney meant it when they said "The Vault is Wide Open!".

  • The worlds' governments who are able hack for informational and economic advantage... when should we expect the worlds' corporations to follow suit?

    The day before yesterday?

  • Security & "Project Management" (Score:3, Insightful)

    by pierceelevated ( 5484374 ) on Tuesday November 19, 2019 @09:27PM (#59433494)
    Once again, the project deadline dictated the features. Once again, security didn't make the cut.

    • Re:Security & "Project Management" (Score:4, Insightful)

      by geekmux ( 1040042 ) on Tuesday November 19, 2019 @10:28PM (#59433666)

      Once again, the project deadline dictated the features. Once again, security didn't make the cut.

      By "security", you mean spending millions on technical re-education for the masses regarding password recycling? Kind of hard to quantify Mass Ignorance.

      After reading all the theories here, the most predictable one is users recycle the same damn password across multiple (hacked) services, and the inevitable happened. On Day One. Because users are that predictable.

      • After reading all the theories here, the most predictable one is users recycle the same damn password across multiple (hacked) services, and the inevitable happened. On Day One. Because users are that predictable.

        What proportion of these compromised email addresses had signups for Disney+? Did Disney set up some kind of rate-limiting on login attempts? I suspect not.

        • After reading all the theories here, the most predictable one is users recycle the same damn password across multiple (hacked) services, and the inevitable happened. On Day One. Because users are that predictable.

          What proportion of these compromised email addresses had signups for Disney+? Did Disney set up some kind of rate-limiting on login attempts? I suspect not.

          The rate limiting suggestion is good, but could be problematic to manage depending on the competency of the user (if they were competent, we probably wouldn't be having this discussion).

          Regarding compromised email, that's hardly the responsibility of Disney, and again speaks to consumer competence. If your account was hacked as part of a larger compromise, you were most likely notified by the provider of the service. If you chose to both ignore that notification and you recycle passwords, well...

      • You choose one possible solution, but I'd say, if you're Disney, you must surely know that your target market aren't the tech-literate, super-bright minds of the world - they're the "ordinary" folk of modest skills who just want to let their remaining brain cells turn to mush watching your crappy TV. Thus, you really ought to do some of their thinking for them - especially if you think you're going to get as many sign-ups as they thought they'd get.

        How hard would it have been for Disney to check your email

        • How hard would it have been for Disney to check your email address against the haveibeenpwned database with the password you entered? It certainly wouldn't have cost them millions to implement, and would have entirely safeguarded against this problem (if it is as you assume).

          A couple of my email addresses are in that database. What's your point? haveibeenpwned is not real-time, which is the only way you could entirely safeguarded against the problem of weak/recycled passwords. If users actually paid attention to email notifications about compromised accounts and did something about it, we probably wouldn't be having this discussion. Notifications are hardly a guaranteed protection.

          Quite frankly, the more users get burned, perhaps the faster they'll eventually wise up. Pe

      • How about some sanity checking when accepting a password?

        Check for length, complexity, dictionary inclusion and if it exists on a list of known passwords.

  • The "+" stands for Identity Theft.
  • password

    Get over it. The same can be said for all the different admins of the world. People can be expected to have 2 or 3 passwords for everything in their life. That includes bank card pins and door locks. Further if you insist on changing a password every 3 months expect the passwords to all become common 6 letter words with the first letter capitalized, followed by '!" followed by an number that increments every time.

    If password reuse caused an account to be compromised then it is the site admi

    • Yep, three passwords and stop forcing changes (Score:4, Interesting)

      by raymorris ( 2726007 ) on Tuesday November 19, 2019 @10:25PM (#59433660) Journal

      Current NIST standards say you should NOT force regular password resets, and you should not force people to use Word1! (which is what letters, numbers, and punctuation means I real life - add 1 and ! to the end). You SHOULD use long passphrases. You SHOULD use 2FA.

      After 20 years in the security field, I don't use a bajillion different passwords. I have one password stub I use for stuff I don't care about at all - mostly posting comments on web sites.

      To avoid automated password-stuffing, it's a good idea to add something to the stub. So if you're standard stub is "GreenLaxative?", on Slashdot you might use "GreenLaxative?sl", on Fox use "GreenLaxative?fx". Hackers manually looking at your passwords could guess one based on the other, but most cross-site password-stuffing is automated. Adding an abbreviation of the site name will stop most of these attacks.

      I add another word for medium-security sites. So GreenLaxative?74Gillabong. Again with a site suffix. Note it's a longer, better, password - but starts the same, so less to remember.

        Then I have my high-security for bank and email. Again it's related to the other two, so I don't have something COMPLETELY different to remember.

      That's my method. I have a different pair for work. A lower-security one and a longer, better version for higher security systems.

      • Ps rather than changing them all the time (and writing them down), or leaving them the same forever, I occasionally ADD a character or two. That way an old password from four years ago won't work if it gets leaked, but I don't have to remember completely new ones all the time.

      • I think that the most important password rule is to use a distinct password for your email. Never use this password elsewhere.

        • Yep. If I can access your email, I can do password resets oj most of your other stuff.

          Also, most of your other accounts are going to have your email address listed, so a breach of any service provides your email address. It's stupid obvious for a hacker to tey the same password for the email that is listed right there in the same database.

      • Re: (Score:3)

        by AmiMoJo ( 196126 )

        It's time for most people to stop using passwords altogether.

        For the average user it would make more sense to use a token of some kind. Could be a physical USB key* or it could simply be a locally stored soft token. People already use the browser's built in password manager and sync features so for them tokens would work exactly the same as a long, random password.

        * We should be able to use NFC with computers by now. Android phones support NFC tokens but for some reason computers don't, you have to plug in.

        • https://www.grc.com/sqrl/sqrl.... [grc.com]

          No secrets to keep.

          • Sqrl actually requires many secrets to be kept client-side.
            Browse the "sqrl-specific Terminology" section of the fist pdf for a few of them.

            What they've done is re-invented client-side TLS certificates, except without the native browse support. They've made client side certs more complicated, while standard certs are already supported by browsers.

        • Why not just use a password manager in combination with MFA? The password manager will generate much more secure passwords than you can and if the passwords are ever compromised the attacker still can't do anything without your MFA device.

      • I agree on most of your points, but 2FA does not help against phishing.

        • Indeed what we're talking about here is proving the user's identity. Phishing is about proving the server's identity.

          You COULD use 2FA to prove the server's identity; almost nobody does. I had a bank that did - the bank web site showed an image that is known only to the user and bank.

          Certificates are the primary way to prove the server's identity, but users don't check them.

          • I think Bank of America did that? You selected an image to be displayed on the login screen when setting up your account.
      • Do you have a reference for NIST not recommending regular password resets? It's a requirement from our Infosec department here and they tend to be stuck in the past policy-wise.

    • Re:Your site isn't important enough for a unique (Score:5, Insightful)

      by geekmux ( 1040042 ) on Tuesday November 19, 2019 @10:44PM (#59433716)

      password Get over it. The same can be said for all the different admins of the world. People can be expected to have 2 or 3 passwords for everything in their life. That includes bank card pins and door locks.

      Sure, I expect people to have only 2 or 3 passwords.

      In 1987.

      Today, I know none of my passwords, save for a single strong passphrase used to decrypt a secure file. Couldn't even tell you my passwords under duress, because they're all machine generated and 20+ characters long. I sure as hell don't have them memorized because I probably have a dozen or more I use regularly. And a dozen is normal when considering we now do the majority of account management and bill paying online.

      It's 2019. If you still don't understand why you should protect all of your passwords properly by now, then there's nothing more to say. You deserve to be hacked.

      If password reuse caused an account to be compromised then it is the site administrators fault for relying on a unique password in the first place. .

      First off, this makes no sense whatsoever. Disney+ accounts are also used to access other services. The Disney store for example may also have your credit card detail stored, along with other expected personal information (name, home/billing address, phone number, email, order history, etc.) Any account holding that level of detail should be properly protected.

      • I use a password system that's the same for every password I use but generates a password different enough that one won't compromise another and complex enough that typical attacks (dictionary, brute force) won't get it. Even if I don't remember at all what password I used on a site, I'm usually able to figure it out within one or two tries. The only downside is that if you saw two of the passwords you'd be able to easily figure out the others, so it's weak against targeted attacks based on multiple leaked

    • If password reuse caused an account to be compromised then it is the site administrators fault for relying on a unique password in the first place. .

      What would you prefer that they rely on?

  • Comment removed based on user account deletion
  • to stream on my "favorite" type of website. where theres no accounts needed, no username or password needed. just click on stream and boom you got the show No regrets at the end of the day since I pay for both netflix and amazon

Slashdot Top Deals

The use of money is all the advantage there is to having money. -- B. Franklin

Close