Thousands of Hacked Disney+ Accounts Are Already For Sale On Hacking Forums (zdnet.com) 46
An anonymous reader quotes ZDNet:
Hackers didn't waste any time and have started hijacking Disney+ user accounts hours after the service launched. Many of these accounts are now being offered for free on hacking forums, or available for sale for prices varying from $3 to $11, a ZDNet investigation has discovered... Many users reported that hackers were accessing their accounts, logging them out of all devices, and then changing the account's email and password, effectively taking over the account and locking the previous owner out...
Two users who spoke with ZDNet on the condition we do not share their names admitted that they reused passwords. However, other users said online that they did not, and had used passwords unique for their Disney+ accounts. This suggests that in some cases hackers gained access to accounts by using email and password combos leaked at other sites, while in other cases the Disney+ credentials might have been obtained from users infected with keylogging or info-stealing malware.
The speed at which hackers have mobilized to monetize Disney+ accounts is astounding.
Two users who spoke with ZDNet on the condition we do not share their names admitted that they reused passwords. However, other users said online that they did not, and had used passwords unique for their Disney+ accounts. This suggests that in some cases hackers gained access to accounts by using email and password combos leaked at other sites, while in other cases the Disney+ credentials might have been obtained from users infected with keylogging or info-stealing malware.
The speed at which hackers have mobilized to monetize Disney+ accounts is astounding.
That's (Score:2)
very Mickey Mouse of them.
Obligatory ... (Score:2)
*that noise that Mickey makes in those South Park episodes*
Re:That's (Score:5, Insightful)
...while in other cases the Disney+ credentials might have been obtained from users infected with keylogging or info-stealing malware.
This article must have been written by a Disney PR person because it does not even mention the possibility that Disney+ got hacked.
It reminds me of Uber claiming that many of its users were reusing passwords, that's why their accounts were hacked, when in fact, they knew the company itself had been hacked and they even paid off the hackers to keep quiet.
Re: (Score:2)
This article must have been written by a Disney PR person because it does not even mention the possibility that Disney+ got hacked.
To be fair to whoever wrote the article, the odds are quite high that it wasn't Disney+ getting hacked. The balance of probabilities suggest password reuse, malware and social engineering long before an actual hacking, that last of which is something that usually exposes the entire user dataset.
Re: (Score:2)
while in other cases the Disney+ credentials might have been obtained from users infected with keylogging or info-stealing malware.
ZDNET,
Are you shilling for Disney? Or are you real journalists?
Because real journalists would have paid for tech forensics specialists to look at those users' machines.
*Pulling hair out* (Score:2)
Jesus H. Christ, Disney!!! Get your act together! It's almost 2020, Post-Snowden! How the ever-living crap is this system not secure?! Is Disney not the largest media conglomerate on the planet? Y'all should have the resources to not let this happen!!!
Re: (Score:2)
Things have to be _cheap_! And, of course, all that "IT stuff" is solved, right?
They should probably fire everybody involved in the relevant decisions, there is nothing to salvage in these people. Some (few) hacks in the next weeks would have been acceptable. For it to be _this_ bad, they need to have made absolutely elementary mistakes on all levels, in particular on management-level.
Re: (Score:1)
They fall for DRM and you ask about security?? (Score:2)
Those are the coke-headed criminals who ACTUALLY BELIEVE that DRM can work, and that you can "own" information, remember?
They wouldn't know the basic concepts of physics or information science of you'd shoot it at them with galactic gamma ray burst cannon!
Not that the average Slashdotter of today would know either. /. account used to remember a time when "intellectual property" and DRM got the ridicule they deserve. Back when CmdrTaco, CowboyNeal, Hemos & co still ran the site.
Yeah, my old
Re: (Score:2)
You have a point.
Re: (Score:2)
Those are the coke-headed criminals who ACTUALLY BELIEVE that DRM can work, and that you can "own" information, remember?
They wouldn't know the basic concepts of physics or information science of you'd shoot it at them with galactic gamma ray burst cannon!
Not that the average Slashdotter of today would know either. /. account used to remember a time when "intellectual property" and DRM got the ridicule they deserve. Back when CmdrTaco, CowboyNeal, Hemos & co still ran the site.
Yeah, my old
What in Sam Hill does longevity have to do with a story posted on a forum?
Are you blaming /.?
Extreme incompetence (Score:5, Interesting)
Apparently, they did not even invest into some actually competent penetration tests, let alone a competent security review. In addition, this was obviously implemented by much cheaper-than-possible coders that do not have the first clue about IT security.
It does not get much more incompetent than this.
Re:Extreme incompetence (Score:5, Interesting)
Re: (Score:2)
If people on that low skill level can get in, how does that make the screw-up by Disney any better?
Re: (Score:2)
This. That's why the prices are so low. Someone gets a free ride out of town where there are no more bus stops or gas stations.
Re: (Score:3)
Guess I'll just stop using it but keep paying the bills"
What bill? For most Disney+ customers, the billing is only starting one full year from now.
That's because most of those people are Verizon customers, the ones who were tricked into paying for 5G when Verizon doesn't really have 5G. They also qualify for a promo code that's good for one free full year of Disney+.
Re:Anyone who paid to buy access to a hacked accou (Score:3)
Indeed you wouldn't expect the account to last long. I expect the people buying the accounts are as dumb as the people who lost their accounts in the first place. Another good reason not to use a hacked account is that there would be nothing stopping Disney from attempting to have you prosecuted for fraud.
Unthinkable! (Score:2)
Mickey needs his cocaine right NOW!
Can't waste those dollars on preventing anyone from undermining their criminal artificial scarcity monopoly protection racket! The Ego(TM) of the cokeheads alone will enforce it! By the power of Earskull!
Re:Extreme incompetence (Score:4, Insightful)
Well they did force their IT people to train their Indian replacements from HCL. So yeah
Re: Extreme incompetence (Score:2)
Re:Extreme incompetence (Score:5, Insightful)
More likely:
1. Scammers are selling absolutely nothing that will work.
2. Disney+ consumers
2b. Choose the simplest most guessable credentials the Disney+ password policy would allow.
2c. Created/used their account from a compromised system.
2d. Were phished.
3. Disney got hacked. Very distant third place.
Re: (Score:2)
Re: (Score:3)
3. Disney got hacked. Very distant third place.
Makes sense. If Disney got hacked, the numbers would be ten orders higher.
Re: (Score:2)
With the psychos at Disney forcing workers to train the cheaper replacements, I would put hacking at number one and go so far to say there is likely sneaky hardware built into the network infrastructure. That stupid, sheer idiotic greed move means the system is very likely compromised at it's core and the entire system needs to be audited, every plug, every wire, every computer, every bit of digital tech in the place.
Re: (Score:2)
My take would be:
1: a smaller number will be trying this
2a: a lot, with ineffectual or no protection against attackers just trying leaked credentials, i.e. Disney screwed up massively
2b: Too early. But with the Disney screw-up on 2a, they probably have no protection against plain guessing in place either
2c: Hmm. Usually attackers use specialized malware, not one that can grab all credentials. I expect this in a few days though.
2d: Again, too early. In a few days maybe.
3: Unlikely.
Re: (Score:2)
My take would be: 1: a smaller number will be trying this
Above being a reference to my belief that a good percentage of Disney+ credentials being sold online are a scam.
Your optimism about the upstanding nature of those whose hats are less than white is uplifting. Honor among thieves is a pithy saying but not much actually exists. Go grab a copy of the file(s) being offered by every Mandalorian torrent. Let us know how many malware families you find. Go download some trainers for whatever AAA PC game is hot right now. Use your mobile device while your
Re: (Score:2)
Why is it that you always jump to the least likely scenario? Oh that's right, gweihir doesn't understand risk, thinks that hackers are more likely to Meltdown corporate CPUs, than simply phish a password from a user or reuse credentials exposed previously.
You once told me you were in the security industry. With every one of your posts I'm worried about the state of your industry.
Re: (Score:1)
Slashvertisement or FUD campaign? (Score:2)
Jiminy crickets! (Score:3, Funny)
That Mickey Mouse system is all goofied up.
How much are they going for? (Score:2)
Re: (Score:2)
If only there was some info about the prices... like the second sentence of the fucking summary.
Why would we need more than one? (Score:1)
Just simulate a "TV" junkie that watches ALL the shows, and rip them all, off to a file sharing server somewhere. (Die in a firery pit of hell, BitTorrent, you stupid, backwards, degenerated protocol!)
To proudly exterminate the Content Mafia pest, so the creator industry can flourish again, and rehashigs of "i.p." become punishable by industry-standard Content Mafia cokehead orgy hooker rape death. (OK, actually I want nobody to be harmed. But I'm not exactly gonna come running to save somebody who defined
I was thinking of signing up (Score:5, Interesting)
But I may just hold off for a while... to make sure there isn't some fundamental weakness in Disney+' account management.
Although it might be an interesting experiment - load up a pre-paid credit card with a few bucks and use that to create an account, then see whether it gets taken over...
Re: (Score:3)
But I may just hold off for a while... to make sure there isn't some fundamental weakness in Disney+' account management.
Although it might be an interesting experiment - load up a pre-paid credit card with a few bucks and use that to create an account, then see whether it gets taken over...
Early adopters are the canaries.
Re: (Score:2)
I'll hold off ...
Early adopters are the canaries.
I'd always heard: An early adopter is often one who has arrows in their back for being first to try something out.
FTFY (Score:5, Insightful)
The speed at which hackers have mobilized to monetize Disney+ accounts is astounding.
The incompetent security of Disney+ accounts is astounding.
Re: (Score:2)
The incompetent security of Disney+ accounts is astounding.
Is it? Do you have any evidence that the security of Disney+ accounts is in question? I'll tell you what isn't in question: a) password reuse, b) stupidly simple passwords being guessed, c) users responding to phishing attempts, and d) rampant malware on PCs. Each of which in order of decreased likelihood.
A typical hack directly against the service normally exposes entire databases of users. If that actually happened we wouldn't be talking about thousands of accounts.
Bye bye (Score:2)
Re: (Score:2)
This would be great! Get rid of all the 1 D 10 T's!
However, please explain why you think a userid and password is required to access the Internet?
Amazon has it better (Score:1)
You can't give away Amazon streaming passwords, the sharers would order booze and crap for tens of thousands on your dime.
Disney+ does not validate (Score:2)