Disney has been accused of putting Snow White’s pal Dopey in charge of the security of its new streaming service following reports that details of thousands of subscribers are already being offered for sale on the “dark web” just days after Disney+ launched.
An investigation by ZD Net has found Disney+ accounts being hawked for between £2 and £9 and sometimes being given away for free.
The service, which only went live on November 12, offers an expansive library of content from Disney shows and movies, Pixar, Marvel, and Lucasfilm as well as new original shows.
Within hours, Disney+ had amassed 10 million customers from the US, Canada and The Netherlands. It does not launch in the UK until March 31 2020.
Disney has refuted claims that its systems must have been compromised. In a statement, it said it “takes the privacy and security of our users’ data very seriously and there is no indication of a security breach on Disney+”.
Data security experts believe the details were likely to have been gained from previous hack attacks and that the problem has arisen because consumers are still using the same passwords from their other compromised online accounts.
Comforte AG head of enterprise data protection Jonathan Deveaux said: “At this time, there are no indications that point to a hack or data breach within the Disney cybersecurity programme. What could be happening is a mass effort by bad actors to use previously stolen user IDs and passwords.”
Meanwhile Hacker One technical programme manager Niels Schweisshelm added: “This should act as a reminder to all consumers about the importance of securing online accounts with strong, complex passwords. For the foreseeable future, people will have to continue making passwords work for them, whether that is using personal algorithms to keep track of them or using password managers.”
They argue that the issue could have been easily avoided had Disney implemented multi-factor authentication – now seen as standard practice to keep personal information secure – for its new service.
One data security insider said: “Who have they got in charge of data security? Dopey? Two-factor authentication is essential these days, so that even if customer passwords are breached, the damage is limited.”
TSB back in firing line again over online data security
Teletext sweats as two-year data breach is uncovered
Twitter admits GDPR breach after exploiting user data
Monzo squirms again after gaffe exposes pin numbers
Top London estate agent flayed for 2-year data breach
Leicester City FC on hiding to nothing over data breach