As reported by ZDNet, Fox News and other news sources this week, a large number of usernames and passwords for accounts with Disney’s new and extremely popular video streaming service, Disney+, appeared for sale on criminal forums and Darknet hidden websites, accessible only via the Tor network. Binary Defense Intelligence Analysts observed a significant amount of activity over the past week that indicated that thousands of usernames and passwords to Disney+ accounts were being sold for $3 to $10 each. Higher priced offerings included a one-year guarantee to replace the account with a new one if the account was suspended or access to it revoked for up to one year. There were also a significant number of accounts that were being given away for free, to be shared between anyone who downloaded the list of passwords. The free accounts are much more likely to be marked for fraudulent use and suspended if too many people around the world use them at the same time. The paid accounts were less likely to be revoked since they would only be used by the Disney+ customer who paid for the account, any family members that they shared the account with, and the person who bought the stolen password. Below is an screenshot from a criminal forum of Disney+ accounts up for sale:
Where did all of these passwords come from? Some people speculated that Disney’s servers themselves could have been breached, but the evidence online suggested that was not the case. “Disney takes the privacy and security of our users’ data very seriously and there is no indication of a security breach on Disney+,” the company said in a statement quoted by ZDNet. Binary Defense analysis agrees with the statement that there is no indication of any security breach on Disney+, but rather the accounts were likely compromised because customers used the same or very similar passwords for different websites, and some of the other websites had data breaches in the past, giving attackers material to guess the Disney+ account passwords.
Binary Defense analysts noticed at least one of the criminal actors who was selling accounts posted a screenshot to show how they obtained the passwords using a password-checking program:
The program works by taking one or more lists of previously breached passwords from other websites that were hacked and trying those same passwords to see if they will successfully log in to a Disney+ account. The program uses bots to proxy the requests to Disney’s servers so that they appear to be coming from many different IP addresses and are less likely to raise red flags. Known as credential stuffing, this is a common way in which stolen passwords are used.
The screenshot above shows that the person who tested these passwords had a list of almost 8,000 email addresses and passwords from previous breaches to try, and out of those 8,000, they found about 135 passwords that worked on Disney+.
Password re-use is to blame
This type of problem is caused primarily by consumers re-using passwords. Although using the same password across multiple sites makes it easier to remember, if it gets cracked just once, multiple accounts that use that same password can be compromised. The best remedy for this is to use a password manager—a secure software vault that generates unique, random passwords for each account and makes them available to copy and paste into websites to login. For set-top boxes such as Roku, the customer will still have to type in the password manually, but just having the password manager remember the password is a great help.
Another great option to make password cracking more difficult for attackers is multi-factor authentication (MFA). Instead of simply requiring a username and password to log in, the website requires customers to also type in a one-time-use code that is generated by a mobile app or sent via text message. MFA that uses text messages is potentially vulnerable to SIM-swapping (hijacking a cell phone number,) making it a bit less safe than the mobile app authenticator option. Attackers will likely only expend the effort to hijack a phone number for a more valuable account, such as a bank account.
As a last resort, if the price of a password manager is too much, a simple notebook with passwords written down can be a valid solution to maintaining unique and unguessable passwords for each service. The main problem with that solution is that if the notebook containing the passwords gets lost or stolen, those passwords will be lost as well and will have to be reset.
If there is one password that should be unique and protected at all costs, it’s the one for the email that is used to set up all the other accounts. If an attacker gets access to an email account, they can use that to reset all the passwords to every other account and cause major damage very quickly. If there is one password to protect with strong multi-factor authentication, it should be the email password!
Businesses should be aware that employees sometimes use the same passwords for accounts on websites that they use to log on to their employee account for remote access to the corporate network. Sometimes, employees use their business email address as a username to register on websites that are later breached and the passwords exposed to criminal actors. A common attacker technique is to try the passwords from breaches against company remote-access portals or the corporate Virtual Private Network (VPN).
Binary Defense provides Counterintelligence monitoring services to detect when usernames associated with our client’s corporate domain names are leaked in dumps of passwords from breaches, and promptly notify our clients so they can take preventative action.
Randy Pargman is the Senior Director of Threat Hunting & Counterintelligence at Binary Defense. Prior to joining the company, Randy was a member of the Cyber Task Force with the Federal Bureau of Investigation.