Disney said Tuesday that itsis secure, denying there was a breach following a report that some users were shut out after hackers tried to break into their accounts.
The news site ZDNet found stolen account usernames and passwords selling for $3 on underground hacking forums. Disney’s streaming service, Disney+, costs $7 a month or $70 a year. According to a person familiar with the leak, “tens of thousands” of users were impacted.
Disney+ comes as Disney and other traditional media companies try to siphon customers away from Netflix and other streaming providers. Disney is hoping to attract millions of subscribers with its mix of Marvel and Star Wars movies and shows, classic animated films and new series.
Helped by promotions, including a free year for some Verizon customers, Disney+ attracted 10 million subscribers. The popularity led to in the opening hours, but those problems have largely been resolved.
Disney says there’s no indication of a security breach compromising passwords. It says it takes the privacy and security of users’ data seriously. Disney+ hasn’t said how many subscribers have had security problems.
It’s likely hackers used malware or keylogger software, which records keyboard strokes, to access weak passwords. It also seems that some email and password combinations were re-used by Disney+ subscribers after they’d previously been stolen from other online services.
Paul Rohmeyer, a professor at the Stevens Institute of Technology in Hoboken, New Jersey, said he’s surprised that streaming services haven’t yet implemented better security such as multi-factor authentication, in which users must enter a code sent as a text message or email when logging in from a new device. The code helps ensure that people using stolen passwords or guessing them can’t use a service without also having access to the legitimate user’s phone or email account.
Rohmeyer said services may be hesitant to implement tougher security because they don’t want to be seen as more inconvenient than competitors.
Multi-factor authentication is an option for many non-streaming services, including Google, Facebook and Apple, but the extra security must be turned on. Disney+ does require codes sent by email when changing account passwords, but it doesn’t use them for logging in from new devices.
CNET senior producer Dan Patterson contributed to this report.