sb-au logo
Story image

Disney+: Is it safe to subscribe?

Users are being advised to follow best practice when it comes to online service platforms, in the wake of the launch of Disney+ into the market. 

"While the market has been largely speculative about Disney+ and Netflixs reign as the top OTT service provider, Disney+ seems to have fallen shortly behind with its subscribers recently falling victim to credential stuffing, a technique attackers use to steal passwords to gain access to accounts," explains John Shier, senior security advisor, Sophos.

"News reports have also said that thousands of hacked Disney+ accounts are already up for sale on hacking forums."

Shier says many Disney+ users are reporting that they have been locked out of their accounts. Disney+ has responded by saying they have no evidence of a breach. 

"Our experience suggests that this is likely the result of a credential stuffing attack, a phishing campaign against Disney+ users or the result of credential stealing malware on users' devices," he explains.

"Credential stuffing is when cybercriminals use leaked credentials from one website which could already be for sale on the dark web and try those same credentials on other online services," says Shier. 

"This breach is a prime example of the importance of having unique passwords across all of your online services. 

"As we've seen time and time again, cybercriminals are just as lazy as the rest of us. If they can get away with using a persons previously compromised passwords across different services, that will be their default," he says.

"Excitement has been building for Disney+ and while it's in limited release, people will seek out alternative means to use the platform, even if that includes using someone else's password," Shier says. 

"It also means that cybercriminals would likely take this opportunity to send out Disney+ phishing campaigns to net as many victims as possible and cash in on the hype. 

"Opportunistic cybercriminals deploying credential stealing malware may be identifying Disney+ accounts in their collected data and offering them for sale separately because of the buzz associated with this new platform," he explains.

Unfortunately, says Shier, the Disney+ platform does not appear to offer any kind of multi-factor authentication, which would thwart these kinds of attacks against online services.

Whatever the root cause, Shier says users of online services should incorporate these tips into their everyday cybersecurity practices:

  • Dont reuse passwords, as old breaches can come back to haunt you when cybercriminals use passwords from past breaches
  • Provide as little personally identifiable information online as possible
  • All services, such as Disney+, should offer multi-factor authentication to ensure that passwords are protected and not the only means of defence.
Story image
Acronis announces new security endpoint solution
The solution is an integration of data protection and cybersecurity which provides customers with effective endpoint protection in a landscape where the pointlessness of perimeter security is becoming more pronounced.More
Story image
5 ways to use data science to predict security issues - Forcepoint
Data science enables people to respond to problems in a better way, and to also understand those problems in a way that would not have been possible 50 years ago.More
Story image
Jamf extends Microsoft collaboration with iOS Device Compliance
Organisations will soon be able to use Jamf for Apple ecosystem management while using Azure Active Directory and Microsoft Endpoint manager to maintain conditional access.More
Story image
High-tech heist: why fending off ransomware attacks is more challenging than ever in 2020
The COVID-19 crisis has unleashed a wave of sophisticated and disruptive ransomware attacks, and the onus is on businesses to ramp up their security measures if they’re to avoid falling victim, writes Attivo Networks regional director for A/NZ Jim Cook.More
Story image
Video: 10 Minute IT Jams - The benefits of converged cloud security
Today, Techday speaks to Forcepoint senior sales engineer and solutions architect Matthew Bant, who discusses the benefits of a converged cloud security model, and the pandemic's role in complicating the security stack in organisations around the world.More
Story image
Proofpoint launches new SMB focused security awareness training
Proofpoint has launched security awareness training for small to medium businesses (SMBs) with the aim of reducing successful phishing attacks and malware infections to almost zero. More