Mike Chapple is associate teaching professor of information technology, analytics and operations at the University of Notre Dame's Mendoza College of Business. The opinions expressed in this commentary are his own.

Earlier this week, Disney+ customers complained that their account information had been stolen, and reports found that thousands of accounts had indeed been compromised. Disney, meanwhile, said it found no signs of a security breach. If these thousands of valid passwords weren't stolen from Disney servers, how did they make their way onto the dark web so quickly? Most likely, these accounts belonged to individuals who make a habit of reusing the same password across many different websites.

We all know how hard it is to remember many different passwords and, even though 91% of us know that we shouldn't reuse passwords, 59% of us ignore expert advice and reuse the same password across multiple websites anyway, according to a 2018 survey by cybersecurity firm LastPass

This behavior is incredibly risky because hackers know that we are creatures of habit. Once I've discovered that "Chapple4ever!" meets the requirements of most websites and is easy for me to remember, I'm inclined to use it on every new site that I visit. The problem is that hackers can take advantage of this knowledge and reuse stolen password files from weakly secured sites to attempt logins on more sensitive sites.

The most likely scenario in the case of Disney+ is that hackers were waiting for the service to launch, knowing that accounts would be a hot commodity. They likely prepared themselves by compiling lists of previously compromised usernames and passwords. As soon as Disney+ launched, it's possible they ran automated programs that tested each of those accounts on the site and discovered that thousands of people who registered on the first day reused their comfortable (but compromised!) passwords.

Securing your own accounts

Read More