Has Disney Plus been hacked? Yes, and no

Disney+ profiles
Disney+ profiles (Image credit: Android Central)

It's not (totally) Disney's fault if you're reusing a weak password in the first place. But Disney also still has some work to do.

Repeat after me: "I will not use a password more than once. I will use a password manager of some kind to create strong, unique passwords. And I will, whenever possible, use some form of two-factor authentication."

You should repeat that mantra to yourself the moment you wake in the morning, and just before you go to bed. Doing so while wearing a tinfoil hat is optional. But good password hygiene is not.

That's as evident as ever in a recent ZDNet report on Disney+ accounts being "hacked," or at least some customers quickly losing access to their Disney+ accounts, with the credentials being sold online.

The problem manifests itself in a number of ways, with blame laid not just at Disney's feet, but at ours.

Problem 1: Reusing passwords

One of the most common ways to get your account "hacked" — really, "hijacked" is a better term — is to reuse a username and password that's already been leaked somewhere else.

Let's say my email address — phil@androidcentral.com — and password — TomRocks123 — was used with one of the 359 million sets MySpace accounts that fell victim to a breach in 2008. The black-hoodied "hackers" then will use that username and password on all kinds of other services, just to see if they work. It's called credential stuffing, and it's a big problem.

That's why data breaches are a big deal, even if nothing bad actually seems to happen at the time. Maybe you'll get lazy and reuse that password again somewhere else.

Problem 2: Password sharing

Sharing streaming service logins is as old as the streaming services themselves. You can blame Millennials for leaving the nest with their parents Netflix passwords, but the simple fact is that we've all done it at some point.

As of this writing, Disney is tolerating password sharing for Disney+. And that's not an uncommon attitude. There's a technical, monetary and political cost to be paid when you start treating your users as criminals, and so far the likes of Netflix and HBO also have largely let casual password sharing go unchecked. (Large-scale piracy is another mater, though.

That's not to say that the sort of laissez faire system we enjoy today will continue — there's been talk of late of Netflix and others cracking down.

But there's also a simple reason to not share your Disney+ login — you never know what that other person (or people) will do with it. If two people know your password, it's not a secret anymore.

Problem 3: Actual malware

I'll mention this here because it's mentioned in the original ZDNet piece. Yes, it's quite likely some folks' computers are infected with some sort of malware or keylogger that snags their Disney+ credentials.

And if that's true, that's probably the least of their problems.

The solution: Password managers, 2FA, and Disney doing things a little different

There are a few things you can do to keep your Disney+ credentials more secure. They they're also things that you should be doing anyway, never mind Disney+.

Solution 1: Use a password manager of some kind

The best password is the one you don't actually know. We highly recommend that you use a password manager of some kind. Most modern browsers have them built in, which is good. There are a number of great password-manager apps that are even better and offer more flexibility.

The gist, if you've never used one before, is that the password manager remembers all your passwords, and then you lock up the password manager with master password that only you know. Then you can use crazy, unique passwords for all your services, and avoid ever using a password more than once.

The best password managers

Bonus: See where your credentials already have leaked

I'm a big fan of Have I Been Pwned, a free service that explores data breaches and makes them searchable to determine if your username or password has been outed in a particular instance. (But it does so in a way that HIBP doesn't also leak your credentials. That part's important to note.)

In fact, feed HIBP your email address and it'll alert you when your email address shows up in a new breach. Very cool.

Solution 2: Disney can stop password sharing

Admittedly, this won't be a popular option among the users. (Particularly the ones who are currently mooching.) And it's not necessarily all that great of an idea anyway.

But Disney very well could implement a system where you can only be logged in to one device at a time to watch Disney+. Or it could geo-lock things to a small area — though that would require Disney to know where you are with a good degree of accuracy, and that's not a great thing for privacy.

One other problem: Disney+ allows for as many as seven profiles under a single account. My 9-year-old doesn't need her own Disney+ account. (Mostly because I haven't quite gotten her trained up on password managers yet.) So her tablet is logged in with our family credentials.

Solution 3: Two-factor authentication

I go back and forth on how unhappy to be that Disney+ doesn't offer any sort of two-factor authentication — that is, all you need is an email and password to log in.

There's no sort of secondary method required. No text message. (Which isn't all that great of a security feature anyway.) No time-based token from an app like Authy. No option for a hardware-based universal two-factor key. (Yes, that'd be overkill, but the principle is the same.)

Why no 2FA for Disney+? It's one more thing for someone to maintain — both from Disney's side of things, as well as a pain in the user's behind. It's the usual trade-off between security and usability.

Why you and your family should be using 2FA


Source: Android Central (Image credit: Source: Android Central)

The bottom line: It's all about the passwords

If I had to choose one thing to focus on here, it'd be user passwords.

We as users need to keep our passwords as safe as possible. The (relatively) easiest way to do that is with some kind of password manager — and then take care to never reuse a password.

Yes, that puts the onus on us, and has a tinge of victim-shaming to it. I prefer to call it being a responsible user, though.

But the other thing Disney could (and should) do would be to use a service like Have I Been Pwned, which provides an API to see if a user is trying to sign up with an email address and password that's already been compromised. So if I tried to sign up with phil@androidcentral.com and TomRocks123 as my credentials, it'd say "Hey — that was leaked in that MySpace breach in 2008, so you can't use it here." (In fact, that's something Google already has built in to its Chrome browser.)

So the responsibility falls on both sides, I think. We need to keep our passwords safe. But Disney still has some work to do, too.

Phil Nickinson