Messages appeared a few days after the launch of Disney +: thousands of streaming service accounts have already been put up for sale at various hacker forums at competitive prices. As of Wednesday, new victims are still taking on Twitter and other places. express their frustration that their bills were accepted. What happens is almost certainly not a hack, as you usually think of it. Instead, it looks like a classic – and regrettable – case of what is known as credential filling.
As ZDNet first reported, compromised Disney + accounts can be found on a dark network for only $ 11 apiece, or just for free. (Disney + itself costs $ 7 a month or less for an annual plan.)
Disney rejects any suggestion that his systems were hacked. “We did not find any evidence of a security breach,” the company said. “We constantly audit our security systems, and when we detect an attempt to suspiciously log into the system, we block the corresponding user account in advance and instruct the user to select a new password.”
Taking the words of mega-corporations, especially regarding cybersecurity issues, is rarely recommended, but in this case you do not need it, since a simpler explanation is almost certainly correct.
“It certainly sounds like an account,” said Troy Hunt, founder of the Have I Been Pwned website, a repository of billions of accounts that have leaked through various violations over the years. “This incident has all the signs that we have seen again and again.”
For a technique that causes so many headaches — Dunkin & # 39; Donuts, Nest, and OkCupid — all recent victims — filling out credentials is relatively easy. You simply take a set of usernames and passwords that have been leaked in previous violations, drop them into a specific service, and see which ones are followed. Credential filling tools are easily accessible on the network, which not only automate the process, but also make login requests legitimate by sending them as a trickle from several IP addresses, rather than one suspicious tsunami located in the center. And since people use passwords so often, it’s easy to get a significant number of matches. (Imagine that you used the same key for your home, car, office, and sports locker. Once the burglar makes a copy, they can crack anywhere.)
Hackers, of course, have no shortage of materials that could be extracted. Don't worry about the recent discovery of what is known as Collection No. 1-5, thanks to which 2.2 billion usernames and associated passwords were freely available on hacker forums. One first batch had 773 million records. In fact, it was a violation of violations, a collection of data from large-scale hacks such as LinkedIn, Myspace and Yahoo.
It's not that hackers used this data on purpose. The fact is that many of your usernames and passwords are currently compromised, and if you reuse them, you are setting yourself up for a headache. And while some Disney + users claim that they used a unique password, most likely they just forgot. “In my experience, many times when people have stated the strength of their passwords, some studies show that this rarely happens,” Hunt says. “So I would take these claims with a little salt.”
This does not fully justify Disney. The company consolidates accounts for its many services, so if you lose Disney +, you will also lose access to Disney World Resorts, Disney Vacation Club, ESPN and so on. This unnecessarily expands your potential impact. And the company could take an additional step in providing two-factor authentication, although other streaming services, such as Netflix, currently also do not offer this. Similarly, Disney could have created more obstacles to the process of filling credentials.