On launch day of Disney+, Twitter and Reddit were swamped with users reporting that their passwords had been changed and they’d been logged out of all devices. Account credentials appeared on the dark web’s hacking forums, with prices ranging from $3 to $7, though some were offered for free, as Disney+ allows account sharing.
Disney, however, says it wasn’t hacked. “We have found no evidence of a security breach,” a rep said in a statement to Variety. “We continuously audit our security systems and when we find an attempted suspicious login we proactively lock the associated user account and direct the user to select a new password.”
Some affected users did admit to reusing credentials from other accounts, which could be how the hackers accessed them, but there were customers who insisted they used unique passwords.
Hackers could have gained access by trying credentials leaked from other sites, or they could have used keyloggers. As Disney noted: “Billions of usernames and passwords leaked from previous breaches at other companies, pre-dating the launch of Disney+, are being sold on the web.”
Disney said only a small percentage of Disney+ customers have reported their accounts being hacked, and it urges anyone who believes they’ve been compromised to contact its customer services.
Earlier this week, Disney exec Kevin Mayer said the Disney+ launch’s problems were to do with the way it architected the app, and nothing to do with Amazon or other third parties. It appears the company wasn’t expecting such a large demand.
