“All it takes is faith and trust, oh! and something I forgot: dust,” Peter Pan tells Wendy, John, and Michael in Disney’s 1953 adaptation of J.M. Barrie’s novel. But after a widespread breach of the entertainment company’s new Disney+ accounts, at least one cybersecurity research company is indicating that its new streaming service needs more than a magical concoction to fly among those it’d qualify as reasonably secure.
An investigation by cybersecurity research company GroupSense has linked the appearance of thousands of Disney+ accounts for sale on the Dark Web to a credential-stuffing attack designed to exploit weak account security procedures Disney has implemented. Credential stuffing is using software to automatically reuse stolen or commonly used username-password combinations in hopes of accessing consumer accounts.
Valid credentials for Disney+ accounts, whose subscriptions cost $6.99 per month, are available on the Dark Web for a minimum of $3, whereas most similar accounts max out on the Dark Web at $3. That’s because a Disney+ account links to the user’s credit card, as well as other personal information that can be used in identity theft, says GroupSense CEO and founder Kurtis Minder.
READ MORE ON DATA BREACHES
What you need to know about the Marriott breach
How to tell you’re part of the 30 million user Facebook breach
How to recover from a health care data breach
Want to stop data breaches? Make companies accountable
How to deal with Equifax and our ‘broken’ credit protection system
So you’re caught in a data breach. Now what?
“Disney did not use some of the best practices that can protect users,” he says. “There’s no two-factor authentication—that’s a no-brainer. And Disney should obfuscate the existence of an account, not validating one way or the other whether an account exists.”
When someone tries to log into Disney+, the service verifies whether the account username exists. That may be helpful to users who have forgotten which email address they used when creating their Disney+ account, but hackers can also exploit this logic.
Hackers could use a software tool or botnet to automatically check whether an email address is already in the Disney+ system. Once hackers know that an account using that email address as a username exists, breaking in could simply be a matter of trying commonly used or previously leaked passwords associated with that address, Minder says.
“To actually validate that an account didn’t exist has the reverse effect that it also validates accounts that do exist,” he says. “It appears that [hackers are] not just using raw credential dumps, but also employing some other tactic, like wordlists, to gain access.”
GroupSense researchers also note that many of the Disney+ accounts being sold on the Dark Web are flagged as originating from a Disney+ free trial, and through Verizon Wireless, which offers its customers a free one-year subscription to Disney+. There are a number of other services hackers can target for Disney+ access, including other Disney-owned services whose account holders have been given access to Disney+, such as Disneyland, Walt Disney World, ESPN, Marvel, and FX.
Although Disney+ forces users to enter a one time-use passcode after too many log-in attempts, GroupSense reports that the emailed one-time code expires after 15 minutes, and then the hacker is free to resume log-in attempts.
Disney did not respond to questions about why it hasn’t implemented two-factor authentication or other security methods for its streaming-service users. A Disney representative said in an email that the company has not found evidence of a security breach.
“Billions of usernames and passwords leaked from previous breaches at other companies, pre-dating the launch of Disney+, are being sold on the Web. We continuously audit our security systems, and when we find an attempted suspicious log-in, we proactively lock the associated user account and direct the user to select a new password,” the representative said. “We have seen a very small percentage of users in this situation and encourage any users who are having these kinds of issues to reach out to our customer support so we can help them.”
Most security professionals studying account breaches are quick to point to consumers reusing their passwords. In this case, however, they might also point at the corporation charged with issuing and protecting consumer accounts. And this is hardly an isolated case.
Of the major media-streaming services that The Parallax looked at, only tech companies that already have invested in two-factor authentication—Google, Apple, Comcast, and Amazon—offer it as part of their streaming-service account protection. Media-first streaming services Disney+, Netflix, Spotify, Hulu, HBO Go, and DirectTV do not.
Account takeovers, a common type of identity theft, are a big moneymaker for hackers that show no signs of losing steam. A LexisNexis True Cost of Fraud Survey found that every dollar of fraud costs organizations more than $2.50 in real-world costs; account takeover fraud was estimated in 2018 to cost $5.1 billion in the United States, triple the previous year, according to Javelin Strategy and Research. And a Microsoft study published in July 2019 concludes that using some form of two-factor authentication makes user accounts 99.9 percent less susceptible to takeovers. That’s a statistic one would think services would find convincing enough to at least offer two-factor authentication.
Streaming services may be reluctant to implement two-factor authentication and other stronger account protections because they fear losing customers, says one senior security analyst who did not have permission from their employer to speak with The Parallax. “What is the risk of customer attrition?” they said. “With additional factors of authentication, in the case of an account takeover, account recovery also poses the risk of customer attrition.”
To paraphrase Werner Herzog in Disney+’s new Star Wars-based TV show, The Mandalorian, protecting consumers’ online accounts is a complicated business. But it doesn’t have to be.