Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Television Businesses Movies

Thousands of Hacked Disney+ Accounts Are Already For Sale On Hacking Forums (zdnet.com) 46

An anonymous reader quotes ZDNet: Hackers didn't waste any time and have started hijacking Disney+ user accounts hours after the service launched. Many of these accounts are now being offered for free on hacking forums, or available for sale for prices varying from $3 to $11, a ZDNet investigation has discovered... Many users reported that hackers were accessing their accounts, logging them out of all devices, and then changing the account's email and password, effectively taking over the account and locking the previous owner out...

Two users who spoke with ZDNet on the condition we do not share their names admitted that they reused passwords. However, other users said online that they did not, and had used passwords unique for their Disney+ accounts. This suggests that in some cases hackers gained access to accounts by using email and password combos leaked at other sites, while in other cases the Disney+ credentials might have been obtained from users infected with keylogging or info-stealing malware.

The speed at which hackers have mobilized to monetize Disney+ accounts is astounding.

This discussion has been archived. No new comments can be posted.

Thousands of Hacked Disney+ Accounts Are Already For Sale On Hacking Forums

Comments Filter:
  • very Mickey Mouse of them.

    • *that noise that Mickey makes in those South Park episodes*

    • Re:That's (Score:5, Insightful)

      by stephanruby ( 542433 ) on Saturday November 16, 2019 @05:16PM (#59421184)

      ...while in other cases the Disney+ credentials might have been obtained from users infected with keylogging or info-stealing malware.

      This article must have been written by a Disney PR person because it does not even mention the possibility that Disney+ got hacked.

      It reminds me of Uber claiming that many of its users were reusing passwords, that's why their accounts were hacked, when in fact, they knew the company itself had been hacked and they even paid off the hackers to keep quiet.

      • This article must have been written by a Disney PR person because it does not even mention the possibility that Disney+ got hacked.

        To be fair to whoever wrote the article, the odds are quite high that it wasn't Disney+ getting hacked. The balance of probabilities suggest password reuse, malware and social engineering long before an actual hacking, that last of which is something that usually exposes the entire user dataset.

    • while in other cases the Disney+ credentials might have been obtained from users infected with keylogging or info-stealing malware.

      ZDNET,
      Are you shilling for Disney? Or are you real journalists?

      Because real journalists would have paid for tech forensics specialists to look at those users' machines.

  • Jesus H. Christ, Disney!!! Get your act together! It's almost 2020, Post-Snowden! How the ever-living crap is this system not secure?! Is Disney not the largest media conglomerate on the planet? Y'all should have the resources to not let this happen!!!

    • by gweihir ( 88907 )

      Things have to be _cheap_! And, of course, all that "IT stuff" is solved, right?

      They should probably fire everybody involved in the relevant decisions, there is nothing to salvage in these people. Some (few) hacks in the next weeks would have been acceptable. For it to be _this_ bad, they need to have made absolutely elementary mistakes on all levels, in particular on management-level.

      • by Moryath ( 553296 )
        You nailed it, it's the old triangle. They got it done Cheap and Fast, and ignored the need to get it done Correctly. Probably doesn't help that their tech support is outsourced to somewhere in India or Malaysia that was likely doing legally-dubious robocalls prior to this year.
    • Those are the coke-headed criminals who ACTUALLY BELIEVE that DRM can work, and that you can "own" information, remember?

      They wouldn't know the basic concepts of physics or information science of you'd shoot it at them with galactic gamma ray burst cannon!

      Not that the average Slashdotter of today would know either.
      Yeah, my old /. account used to remember a time when "intellectual property" and DRM got the ridicule they deserve. Back when CmdrTaco, CowboyNeal, Hemos & co still ran the site.

      • by gweihir ( 88907 )

        You have a point.

      • Those are the coke-headed criminals who ACTUALLY BELIEVE that DRM can work, and that you can "own" information, remember?

        They wouldn't know the basic concepts of physics or information science of you'd shoot it at them with galactic gamma ray burst cannon!

        Not that the average Slashdotter of today would know either.
        Yeah, my old /. account used to remember a time when "intellectual property" and DRM got the ridicule they deserve. Back when CmdrTaco, CowboyNeal, Hemos & co still ran the site.

        What in Sam Hill does longevity have to do with a story posted on a forum?

        Are you blaming /.?

  • Extreme incompetence (Score:5, Interesting)

    by gweihir ( 88907 ) on Saturday November 16, 2019 @02:42PM (#59420764)

    Apparently, they did not even invest into some actually competent penetration tests, let alone a competent security review. In addition, this was obviously implemented by much cheaper-than-possible coders that do not have the first clue about IT security.

    It does not get much more incompetent than this.

    • by Synonymous Cowered ( 6159202 ) on Saturday November 16, 2019 @03:11PM (#59420844)
      The hackers are just as incompetent. Changing the password? Wonderful, because I assume the legit account holder will be like "that's weird, I cant login anymore. Guess I'll just stop using it but keep paying the bills". Anyone who paid to buy access to a hacked account is wasting their money.
      • by gweihir ( 88907 )

        If people on that low skill level can get in, how does that make the screw-up by Disney any better?

      • This. That's why the prices are so low. Someone gets a free ride out of town where there are no more bus stops or gas stations.

      • Guess I'll just stop using it but keep paying the bills"

        What bill? For most Disney+ customers, the billing is only starting one full year from now.

        That's because most of those people are Verizon customers, the ones who were tricked into paying for 5G when Verizon doesn't really have 5G. They also qualify for a promo code that's good for one free full year of Disney+.

      • Anyone who paid to buy access to a hacked account is wasting their money.

        Indeed you wouldn't expect the account to last long. I expect the people buying the accounts are as dumb as the people who lost their accounts in the first place. Another good reason not to use a hacked account is that there would be nothing stopping Disney from attempting to have you prosecuted for fraud.

    • Mickey needs his cocaine right NOW!

      Can't waste those dollars on preventing anyone from undermining their criminal artificial scarcity monopoly protection racket! The Ego(TM) of the cokeheads alone will enforce it! By the power of Earskull!

    • by geek ( 5680 ) on Saturday November 16, 2019 @04:35PM (#59421086)

      Well they did force their IT people to train their Indian replacements from HCL. So yeah

      • "Well they did force their IT people to train their Indian replacements from HCL. So yeah". And this is a great incentive for them to fuck over Disney and leak the credentials onto the 'net. As a bonus, there could be a logic bomb lurking in Disney+'s servers ready to shut down and wipe the system. Disney better get cracking with that deep code/system audit. It seems Disney had not learned the lesson of revoking passwords to the system and maybe deactivating physical access security keycards before telling
    • by slarabee ( 184347 ) on Saturday November 16, 2019 @04:49PM (#59421130)
      What would a penetration test have revealed? It would take some really really good odds before I would place money on these credentials having been sourced from a compromise of Disney+ infrastructure.

      More likely:

      1. Scammers are selling absolutely nothing that will work.

      2. Disney+ consumers

      1. 2a. Reused credentials.
        2b. Choose the simplest most guessable credentials the Disney+ password policy would allow.
        2c. Created/used their account from a compromised system.
        2d. Were phished.

      3. Disney got hacked. Very distant third place.

      • 3. Disney got hacked. Very distant third place.

        Makes sense. If Disney got hacked, the numbers would be ten orders higher.

      • by rtb61 ( 674572 )

        With the psychos at Disney forcing workers to train the cheaper replacements, I would put hacking at number one and go so far to say there is likely sneaky hardware built into the network infrastructure. That stupid, sheer idiotic greed move means the system is very likely compromised at it's core and the entire system needs to be audited, every plug, every wire, every computer, every bit of digital tech in the place.

      • by gweihir ( 88907 )

        My take would be:
        1: a smaller number will be trying this
        2a: a lot, with ineffectual or no protection against attackers just trying leaked credentials, i.e. Disney screwed up massively
        2b: Too early. But with the Disney screw-up on 2a, they probably have no protection against plain guessing in place either
        2c: Hmm. Usually attackers use specialized malware, not one that can grab all credentials. I expect this in a few days though.
        2d: Again, too early. In a few days maybe.
        3: Unlikely.

        • My take would be: 1: a smaller number will be trying this

          Above being a reference to my belief that a good percentage of Disney+ credentials being sold online are a scam.

          Your optimism about the upstanding nature of those whose hats are less than white is uplifting. Honor among thieves is a pithy saying but not much actually exists. Go grab a copy of the file(s) being offered by every Mandalorian torrent. Let us know how many malware families you find. Go download some trainers for whatever AAA PC game is hot right now. Use your mobile device while your

    • Why is it that you always jump to the least likely scenario? Oh that's right, gweihir doesn't understand risk, thinks that hackers are more likely to Meltdown corporate CPUs, than simply phish a password from a user or reuse credentials exposed previously.

      You once told me you were in the security industry. With every one of your posts I'm worried about the state of your industry.

    • by kv2125 ( 6396010 )
      Actually the hackers did not penetrate Disney, but rather found emails and passwords from other online streaming services that were hacked. Here's an article about it https://www.denverpost.com/201... [denverpost.com]. I think the volume of people signing up (10 million on the first day alone) attracted hackers to seek and sell these accounts.
  • by Tablizer ( 95088 ) on Saturday November 16, 2019 @02:58PM (#59420812) Journal

    That Mickey Mouse system is all goofied up.

  • I may be interested.
    • by SeaFox ( 739806 )

      If only there was some info about the prices... like the second sentence of the fucking summary.

  • Just simulate a "TV" junkie that watches ALL the shows, and rip them all, off to a file sharing server somewhere. (Die in a firery pit of hell, BitTorrent, you stupid, backwards, degenerated protocol!)

    To proudly exterminate the Content Mafia pest, so the creator industry can flourish again, and rehashigs of "i.p." become punishable by industry-standard Content Mafia cokehead orgy hooker rape death. (OK, actually I want nobody to be harmed. But I'm not exactly gonna come running to save somebody who defined

  • by 93 Escort Wagon ( 326346 ) on Saturday November 16, 2019 @03:14PM (#59420862)

    But I may just hold off for a while... to make sure there isn't some fundamental weakness in Disney+' account management.

    Although it might be an interesting experiment - load up a pre-paid credit card with a few bucks and use that to create an account, then see whether it gets taken over...

    • But I may just hold off for a while... to make sure there isn't some fundamental weakness in Disney+' account management.

      Although it might be an interesting experiment - load up a pre-paid credit card with a few bucks and use that to create an account, then see whether it gets taken over...

      Early adopters are the canaries.

      • I'll hold off ...

        Early adopters are the canaries.

        I'd always heard: An early adopter is often one who has arrows in their back for being first to try something out.

  • FTFY (Score:5, Insightful)

    by Fly Swatter ( 30498 ) on Saturday November 16, 2019 @03:55PM (#59420972) Homepage

    The speed at which hackers have mobilized to monetize Disney+ accounts is astounding.

    The incompetent security of Disney+ accounts is astounding.

    • The incompetent security of Disney+ accounts is astounding.

      Is it? Do you have any evidence that the security of Disney+ accounts is in question? I'll tell you what isn't in question: a) password reuse, b) stupidly simple passwords being guessed, c) users responding to phishing attempts, and d) rampant malware on PCs. Each of which in order of decreased likelihood.

      A typical hack directly against the service normally exposes entire databases of users. If that actually happened we wouldn't be talking about thousands of accounts.

  • After a while nobody will be on the Internet except hackers.
    • This would be great! Get rid of all the 1 D 10 T's!

      However, please explain why you think a userid and password is required to access the Internet?

  • by Anonymous Coward

    You can't give away Amazon streaming passwords, the sharers would order booze and crap for tens of thousands on your dime.

  • Someone used my email address to register a Disney+ account. Disney+ does not validate the email address. So, it is easy for an unauthorized user to use anyone's email address for the sake of receiving a free trial. Disney+ failed at designing a secure registration process. This is evidence that Disney+ does not take security seriously.

Truly simple systems... require infinite testing. -- Norman Augustine

Working...