Logon details of Disney+ customers sold online

Los Angeles/New York — The usernames and passwords of some customers who signed up for Walt Disney’s new Disney+ streaming service have been sold online to third parties, and they have been locked out of their newly opened accounts.

Disney said its system hasn’t been hacked and that it’s working to quickly address the issue. It’s possible hackers obtained the names and passwords from data breaches at other companies.

“Disney takes the privacy and security of our users’ data very seriously, and there is no indication of a security breach on Disney+,” the company said.

Disney+ is the company’s effort to build a direct connection to consumers, as many people shift to watching movies and shows on demand rather than on cable and satellite TV. The $7-a-month service launched a week ago and quickly signed up more than 10-million customers, a number far exceeding predictions.

Still, the debut was marred by many complaints from customers who couldn’t log on or had trouble watching programmes. But the number of gripes collected by the website Downdetector has dropped sharply over the past week and now amounts to just a few dozen.

Growing exposure

Speaking at the Code Media conference in Los Angeles on Tuesday, Disney’s direct-to-consumer chief blamed the initial troubles on faulty coding in the app, which the company is working to fix. Kevin Mayer said Disney executives were “very surprised” by the number of people who subscribed.

The sign-up process was complicated, he said, because some customers already had subscriptions to Disney services such as Hulu and wanted to add the new one. Many customers also forgot they already had Disney accounts.

“Not only was it huge demand, but the complexity,” Mayer said. “If you were a current subscriber, how does it work? Those were legitimate questions.”

While Disney has long collected customers’ names and passwords for its theme parks and online games, the expansion into online video on a global basis brings the potential for more technology glitches.

ZDNet reported at the weekend that Disney+ users’ accounts were being put up for sale on hacking forums within hours of the service’s launch at prices of $3 (R44) to $11 each. Some customers reported they had used old passwords, but others said they hadn’t, according to the website.

While there may be few thousand compromised Disney accounts, that’s small compared with the hundreds of thousands of usernames and passwords on the black market hijacked from platforms such as Hulu, Netflix and HBO, said Andrei Barysevich, CEO and co-founder of the security firm Gemini Advisory.

‘Very effective’

Reusing names and password combinations from previous attacks at other sites can be a “very effective method” for hackers, he said.

“This is one of the biggest problems, not just streaming services, but pretty much every e-commerce business has been battling for the last couple of years, because there’s an abundance of compromised e-mails and passwords on the dark web,” Barysevich said.

At Code Media, a conference for media executives, operators of rival services praised the Disney+ launch. David Nevins, chief creative officer at CBS, called the sign-ups “impressive”, while AT&T president John Stankey said while Disney+ “was off to a good start”, keeping customers happy and subscribed will be an ongoing issue.

“How many of the 10-million customers are there six months from now?” Stankey asked. “It’s managing churn.”

Bloomberg