On November 12, just hours after Disney launched its new streaming service, Disney+, complaints began surfacing that new subscribers—all of them desperate to watch The Mandalorian, no doubt—had been locked out of their accounts.
“Many users reported that hackers were accessing their accounts, logging them out of all devices, and then changing the account’s email and password, effectively taking over the account and locking the previous owner out,” ZDNet reports. According to the site’s investigation, some people reported reusing passwords that hackers may have been able to obtain from others sites, while several claim they created unique passwords. In those cases, ZDNet says, “Disney+ credentials might have been obtained from users infected with keylogging or info-stealing malware.”
DISNEY+ HAS BEEN OPEN FOR LIKE 10 HOURS AND MY ACCOUNT HAS ALREADY BEEN HACKED pic.twitter.com/YBv6CfwTlh
— brandon ʕ·ᴥ·ʔ (@brandoncult) November 12, 2019
“Disney takes the privacy and security of our users’ data very seriously,” a company spokesperson said in a statement on Monday, “and if a customer suspects something else is going on, they should reach out to customer support immediately.”
The problem is that it isn’t easy to reach customer support. Disney apparently never anticipated it would register a mind-boggling 10 million subscribers the first day, and the customer support infrastructure has been inadequate. As a result, subscribers whose passwords were up for sale from $3 to $11, or available for free, on the Dark Net, have waited hours to report the incident, change their passwords, and regain service.
On November 15, one user tweeted, “Disney + launch has been absolutely horrible. Their customer service is no help at all and apparently hundreds of accounts were hacked and sold online. My account got hacked & email/password changed, thankfully I cancelled my subscription before the hack.”
In its official statement, Disney was able to report that while customers were having trouble, it is not because of a technical error on Disney’s part.
“There’s been no indication of a security breach on Disney+, rather, these incidents most likely occurred as a result of an unauthorized individual re-using a customer’s email/password combination gathered during previous security incidents impacting other companies.”
If Disney does see “suspicious” activity, it shuts the account down: “As part of our standard operating procedures, if our systems notice suspicious login activity on a user’s online account with the Walt Disney Company, as a precaution, we will lock their account and request a password reset.”
“The speed at which hackers have mobilized to monetize Disney+ accounts is astounding,” adds ZDNet. “Accounts were put up for sale on hacking forums within hours after the service’s launch. As of this article’s writing, hacking forums have been flooded with Disney+ accounts, with ads offering access to thousands of account credentials.”
Stay on top of the latest in L.A. food and culture. Sign up for our newsletters today.