Many say they used unique userIDs and passwords to access the streaming platform. But Jason Hill, a lead researcher with CyberInt, says it looks like many were stolen because people use the same passwords for different sites. Mr Hill said that hackers can lift someone’s password from a different site which has previously been hacked and then try it on a new site, like Disney+. If it works, they steal the account. The streaming service does not have two-factor authentication. Others are concerned because they can use their Disney+ login to access other products the company provides, like the Disney store and its recreation parks.
Many Disney+ users who have had their accounts stolen and put up for sale on the dark web say that Disney has yet to sort their problems. The firm says it does not believe its systems have been compromised, suggesting that members’ details have been stolen by other means. The BBC reports: On November 12, its first day live, people had technical problems and many complained on social media. Others said they were locked out of their accounts, and since they contacted Disney they have not heard back. According to an investigation by ZDNet, thousands of user accounts went on sale on the dark web. Only hours after the service launched, hackers were selling Disney+ accounts for as little as $3. A subscription to the service costs $7 a month. With the help of a cyber-security researcher, the BBC also found several hacked customer accounts for sale on the dark web.