Just hours after the eagerly anticipated rollout of the Disney+ streaming service, customers began complaining on social media that they were being locked out of their accounts or experiencing other disruptions in the streaming of Disney movies and shows. The initial concern was that perhaps cyber criminals had launched a massive cyber attack on the new streaming service, bringing it to its knees almost before it had even launched. However, Disney says that there is “no indication” of a security breach on Disney+, and that the source of the problem might be a so-called “credential stuffing” attack, in which hackers obtain passwords and usernames from Dark Web databases, and then use a brute force method to see if those passwords and usernames will work on new sites as well.

How hackers used credential stuffing to attack Disney

And, indeed, this credential stuffing attack appears to be what happened with the new Disney+ streaming service – hackers had obtained access to some database of usernames and passwords from a previous hack pre-dating the launch of the new Disney offering, and then systematically attempted to find out if any of those username/password combos would work with the Disney+ streaming service. Given that Disney signed up 10 million subscribers on the first day, there’s a mathematically and statistically probable chance that some of those subscribers had been hacked in the past, and simply had never changed their username/password combo. For its part, Disney says that “it takes the security of our users” seriously, deflecting any blame that it might have been hacked directly.

This credential stuffing attack scenario would appear to explain a number of other observations, including the fact that only a relatively small number of user accounts were being hijacked. If a much more sophisticated attack had been carried out, wouldn’t the number of users finding their accounts hijacked be in the millions and not in the thousands? Moreover, security researchers have found evidence of hackers listing Disney+ accounts for sale on Dark Web hacking forums, with each username/password combo being sold for anywhere from $3 to $11.

Jonathan Deveaux, head of enterprise data protection at comforte AG, comments on the potential for a credential stuffing attack on Disney+: “The details are unclear regarding the reports of hacked Disney+ accounts. At this time, there are no indications that point to a hack or data breach within the Disney cybersecurity program. What could be happening is a mass effort by bad actors to use previously stolen user IDs and passwords. A quick search on https://haveibeenpwned.com/ reveals websites previously subjected to security events or databases exposed during hacking incidents. There are hundreds of incidents which contain millions of leaked user IDs and passwords.”

John Shier, Senior Security Advisor at Sophos, came to a similar assessment: “Many Disney+ users are reporting that they have been locked out of their accounts. Disney+ has responded by saying they have no evidence of a breach. Our experience suggests that this is likely the result of a credential stuffing attack, a phishing campaign against Disney+ users or the result of credential stealing malware on users’ devices.”

The danger of reusing passwords and password sharing

As seen above, the major reason why credential stuffing attacks (and similar types of data breaches) continue to be effective is because most people re-use passwords when they sign up for new services or offerings. It’s too hard to remember more than a handful of passwords at a time, and it’s much easier simply to repeat the same combos (or some variant of those combos) over and over again. The problem, however, is the fact that hackers realize this, and that is why databases of stolen credentials can be found for sale all over the Dark Web. Even if only a small percentage of usernames/passwords are still valid, it can be very lucrative for hackers to engage in credential stuffing attacks.

And, in many ways, Disney+ was the perfect victim for such a credential stuffing attack – hackers knew that there would be tremendous worldwide demand for such a service on a specific date, and they also knew that families would likely be sharing usernames and passwords with other family members. And that raises another key issue: password sharing. For the sake of ease and convenience, too many people share their passwords with others. A much safer security practice, of course, is never to share your password with anyone else. However, in the case of Disney+, the primary allure of the streaming service was that the whole family could use it, without everyone being forced to create an entirely new login. Thus, parents wouldn’t have to worry about their kids inadvertently locking them out of using the service, and vice versa.

Possible solutions to credential stuffing

In addition to common sense tactics like changing passwords and not sharing passwords, what else can be done to stop the scourge of credential stuffing? One popular solution is multi-factor authentication, in which users of a particular website or service must provide multiple forms of identification to prove that they are the true account holder.

Disney, for example, could have used some form of multi-factor authentication to prevent credential stuffing. In such a scenario, users would have to supply another code sent to their mobile device in order to login. That, of course, can make the whole consumer experience of using a service much more cumbersome (especially if kids want to watch a Disney cartoon, and they can’t login without physical access to their parents’ mobile phones). And that might explain why Disney decided not to use multi-factor authentication for the launch of its new streaming service.

Deveaux points out some potential steps that Disney could take to boost security on Disney+: “What is missing from the Disney+ security service is multi-factor-authentication (MFA). MFA is a method in which access is granted only after two or more pieces of evidence a provided when signing onto a service. The password is one of the pieces; depending on how MFA is deployed within a service, a second piece could a code sent to the user’s mobile phone, which is then entered at the time of login. MFA does not guarantee that only the authorized user is indeed accessing the service, but it does help slow down or reduce the likelihood of bad-actors gaining access with only user ID and password credentials. If this is the case with the reports of hacked Disney+ accounts, then Disney did not do anything wrong per se, but they could elect to look at increasing their security posture by upgrading their authentication program.”

And, of course, Internet users should take a much more proactive role in preventing credential stuffing attacks. Using a password manager, for example, they can generate unique passwords for new services that they use online. And, by checking out websites of security researchers, they can check to see if their email address or username is available for sale somewhere on the Dark Web.

Avoiding future hacks of Disney+

The big question now is whether or not Disney can prevent future attacks on its streaming service and the personal data of Disney customers from being compromised. If it cannot, then it might have trouble gaining traction against competitors like Netflix, Hulu and Amazon Prime.

Disney+ accounts up for sale on Dark Web hacking forums after the new streaming service was hit by credential stuffing #cyberattack. #respectdata Click to Tweet

The good news, at least for now, is that the stock market does not seem to be overly concerned about the credential stuffing attack. On the day that news of the credential stuffing attack broke, shares of Disney actually rose by two percent on the New York Stock Exchange. At the end of the day, Disney might have been hacked, but in many ways, it was through no fault of its own. In today’s modern cyber threat landscape, both consumers and businesses have a responsibility when it comes to cyber security. No cyber defense, no matter how strong, is going to be able to deal adequately with a credential stuffing attack if consumers fail to update passwords.