News & AnalysisNewsletter

Learnings from the Disney+ Accounts Hack

Despite millions of passwords getting leaked on the Internet every year, users use the same login credentials across sites and services, giving hackers a greater access to all their accounts. The recent example is the hacking of user data within hours of Disney+ getting launched with some of it being offered for free on hacking forums. While the incident prompts end user consumers to use unique passwords across online services, for enterprises it highlights the importance of having a strict password security policy in place to prevent hackers from gaining legitimate access to their data and systems.

Read more: Disney+ Goes Live and So Does Its User Data

The technique used in the case of Disney+ accounts hack is touted as Credential stuffing, in which an attacker tries to log into a victim’s account using millions of usernames and passwords that have been leaked in data breaches. Since most people unfortunately reuse passwords, this method is much more efficient than trying to guess every combination of characters.

What is Credential Stuffing?

Security experts believe it is as imprudent as using the same key for your house, car, office, and gym locker. Once a robber makes a copy, they can break in anywhere. For cyber attackers, the end goal is to crack open accounts, whether they are used by external customers or corporate employees.

The first widespread credential stuffing attacks were observed in late 2014, when selling accounts, attackers offered the quick and easy monetization of compromised account credentials. With very little investment, criminals expected to earn at least ten times the profit on the sale of compromised login credentials of reputed brands such as eBay and Amazon.

Credential stuffing also affects sectors such as mid-sized financial services and retail organizations. It relies upon the fact that many organizations still allow customers and employees to use password-only log-ins, and the fact that these users have so many to manage that they resort to sharing credentials across multiple sites and accounts.

The 2019 edition of Akamai Technologies’ State of the Internet Report, the company reported it had detected 3.5 billion credential-stuffing attempts in just the past 18 months. The researchers say these attacks have grown more efficient and accessible due to low-cost automation tools that can evade detection. It also shows 35% of these attacks were focused on the tech, video media and entertainment sectors, primarily because they offer a wealth of personal and corporate data.

It has also been observed that hacking forums are currently overflowing with hacked Amazon Prime, Hulu, and Netflix accounts.

“It’s no surprise that cybercriminals jump on the same bandwagon as everyone else when there’s a big new consumer launch. The scale of fresh accounts means it’s very much worth their while to invest in attempting to compromise them – cybercriminals can rely on consumers’ security apathy to give them an easy win,” said, but we don’t yet have anything better,” said Niels Schweisshelm, Technical Program Manager at HackerOne, who believes that passwords are the worst option for secure authentication, even though one cannot do much about it. However, incidents like this serves as a reminder to all about the importance of securing online accounts with strong, complex passwords.

What Can Enterprises Do?

To reduce the risk from automated attacks, such as credential stuffing, organizations should make good password hygiene a priority. One simple way is to have a pop-up box reminding users at account setup about the importance of selecting a strong, unique password.

The other solution is to implement a multi-layered approach. As John Shier, senior security advisor, Sophos said, “What Disney+ could do to help users would be to roll out support for multi-factor authentication, a simple solution that would prevent attacks relying on password reuse.”

“Unfortunately, the Disney+ platform does not appear to offer any kind of multi-factor authentication which would thwart these kinds of attacks against online services. Nonetheless, users of online services should create passwords, as old breaches can come back to haunt you when cybercriminals use passwords from past breaches,” he said.

Read more: How CISOs Can Win the Cyber Security Battle

While some companies may choose to implement MFA which blocks the credential stuffing attack vector, at an organizational level, there should be strict security policies on the use of corporate emails or log-ins to register with third-party sites. As Sheril Jose, Head- Cyber Security at Pune-based Emcure Pharmaceuticals said, “A stronger log-in security could also be combined with AI-powered tools designed to detect suspicious log-in attempts and internal email activity potentially indicating a compromised account.”

Jose feels that as credential stuffing along with other types of complex attacks poses a serious threat to the bottom line and corporate reputation, it requires urgent attention in the ever-evolving digital world for companies to guard their turfs and that of their customers.

Leave a Response

Sohini Bagchi
Sohini Bagchi is Editor at Trivone Digital, a published author and a storyteller. She can be reached at