Disney's new game-changing streaming-video service hasn't even been available for a week, but already its users have been hacked and thousands of Disney+ accounts are on sale on the Dark Web, according to a new report.
Security researchers at ZDNet said that they've found "thousands" of Disney+ accounts for sale on the Dark Web. In hacking forums where those who have obtained the account credentials are communicating. The Disney+ accounts are trading for as little as $3, according to the report. That's much cheaper than the $7 per month Disney+ costs. In some cases, in accounts that had more value, hackers are charging a one-time fee of $11.
According to ZDNet's research, hackers who bought the credentials did more than just stream their content. Instead, many reported that hackers logged in and changed their account e-mail and password, leaving users without the Disney+ accounts that they were still paying for. They were only alerted to the change via e-mail.
The technique is a familiar one in the world of user credentials. High-value targets, like a person's Amazon, PayPal, or Venmo accounts are regularly traded on the Dark Web. Social Security numbers and bank account information are also highly sought-after.
What's interesting, however, is how little time it took to target Disney+. In fact, the hacking suggests that hackers themselves know that Disney+ is a highly sought-after service and they're trying to capitalize on that by targeting users and obtaining credentials to make a few bucks.
Disney revealed last week, just days after the service's launch, that it had already attracted 10 million users around the globe. It's likely attracted even more people since then, and it's similarly likely that users will continue to see their credentials traded on the Dark Web over time.
Exactly what, if anything, can be done to safeguard Disney+ users, however, is decidedly difficult to determine. It doesn't appear to the researchers at ZDNet that Disney+ was actually hacked. Instead, users were duped into revealing their account credentials, suggesting they were instead hijacked.
Every company today is forced to deal with (and try to address) hijacking. And until users stop handing over their account credentials to the wrong people, there's little companies can do to actually address the problem.
Looking ahead, therefore, there's a strong likelihood that Disney+ accounts will continue to be traded on the Dark Web alongside the multitude of account information and illegal content already for sale in that shadowy part of the Internet. Like it or not, this is only just the beginning.