Many Disney+ users are reporting that they have been locked out of their accounts. Disney+ has responded by saying they have no evidence of a breach. Our experience suggests that this is likely the result of a credential stuffing attack, a phishing campaign against Disney+ users or the result of credential stealing malware on users’ devices.
What is Credential stuffing?
Credential stuffing is when cybercriminals use leaked credentials from one website – which could already be for sale on the dark web – and try those same credentials on other online services. This breach is a prime example of the importance of having unique passwords across all of your online services. As we’ve seen time and time again, cybercriminals are just as lazy as the rest of us. If they can get away with using a person’s previously compromised passwords across different services, that will be their default.
Excitement has been building for Disney+ and while it’s in limited release, people will seek out alternative means to use the platform, even if that includes using someone else’s password. It also means that cybercriminals would likely take this opportunity to send out Disney+ phishing campaigns to net as many victims as possible and cash in on the hype. Opportunistic cybercriminals deploying credential stealing malware may be identifying Disney+ accounts in their collected data and offering them for sale separately because of the buzz associated with this new platform.
Unfortunately, the Disney+ platform does not appear to offer any kind of multi-factor authentication which would thwart these kinds of attacks against online services.
Basic tips from Sophos
Whatever the root cause, users of online services should incorporate these tips into their everyday cybersecurity practices:
- Don’t reuse passwords, as old breaches can come back to haunt you when cybercriminals use passwords from past breaches
- Provide as little personally identifiable information online as possible
- All services, such as Disney+, should offer multi-factor authentication to ensure that passwords are protected and not the only means of defence.
(The writer is the Senior Security Advisor at Sophos)