Days after the new Disney+ streaming service went live thousands of customers have had their accounts hacked. Is the use of weak passwords reused across multiple accounts the culprit?
Weak Passwords Up for Grabs
Many news articles regarding the Disney+ hacking seem to have one theme in common, weak passwords and using passwords repeatedly across multiple accounts.
Disney+ is the new subscription-based streaming service from Disney that was officially launched last Tuesday. Since then thousands of users reportedly have had their Disney+ accounts hacked.
Hackers apparently accessed subscribers’ Disney+ accounts, logging them out of their devices and then changed the email and password associated with the accounts. Nonetheless, Disney says it does not believe its systems have been compromised.
A spokesperson for Disney+ said: “Disney takes the privacy and security of our users’ data very seriously and there is no indication of a security breach on Disney+.”
For Sale on the Dark Web
The hacked customer accounts are available on the dark web for free or $3 to $11. A subscription to the service costs $7 (£5.40) a month. The stolen accounts contain more than just login information. Sometimes it also shows the kind of subscription the person signed up for and when it expires. Furthermore, as all Disney accounts are linked, a hack of the Disney+ account means all a user’s Disney accounts are hacked. This would give the hackers access to such accounts as the user’s Disney Store or Disney Recreation Parks accounts.
The reason these accounts could be hacked is likely due to subscribers using the same credentials across many different sites. Hackers often steel credentials from sites during previous security breaches and then try these on a new site like Disney+. If the credentials work, they steal the account.
However, users who used unique passwords apparently also had their accounts compromised. Therefore, another culprit must have also been at work. In this instance, it is likely that these Disney+ subscribers used too simplified a password when they setup their accounts.
What Constitutes a Weak Password?
Weak passwords are not weak just because of their length or the characters used. A password is also weak if it is easily guessable by either a person or a computer. Hackers often use password cracking computer programs built specifically to crack passwords. A password such as “PersonName@12345” may look like a strong password, but it isn’t, as it is guessable.
Creating strong passwords is necessary to ensure online accounts do not get hacked. Furthermore, to ensure that if one account is hacked not all your accounts are hacked, you also need to create a separate strong password for each account. Using the same strong password across many accounts also renders a strong password weak.
So, why do users employ weak passwords? Because strong passwords are harder to remember. Moreover, many feel that memorizing a strong password for each online account they hold can become very difficult to manage.
However, there are password managers available that simplify this process. Password managers allow users to generate and securely store unique strong passwords, so there is really no excuse for using weak passwords or reusing passwords across multiple accounts.
Why Did Disney+ Not Use Two-Factor Authentication?
The Disney+ streaming service does not use two-factor authentication . Users are notorious for using weak passwords and reusing passwords that are familiar to them across multiple sites. So, why didn’t Disney+ implement this much more secure form of authentication and in the process possibly avoid this whole hacking incident?
Kurt Knutsson, Fox Business’s “CyberGuy”, says that streaming services often do not require two-factor authentication due to the consumers’ dislike of it. Knutsson states Disney did: “not want to do that because studies have come out about streaming services and one of the things that hinder people to adapt to them is the fact that they have to authenticate it constantly. So, they did not want that in the way of the user.”
The Consumer is Responsible
Since streaming service subscribers do not like dual factor authentication, the consumer is responsible for protecting their own logins. Consequently, the best thing users can do to protect their logins against such attacks in the future, is to use randomly generated passwords for all their accounts and use a password manager to manage them.