UPDATED 11/20/19 1:00 p.m. ET: Disney released a statement on Wednesday, in which the company said only a "small percentage" of Disney Plus users had their login information compromised.
“We have found no evidence of a security breach,” the company told Variety. “We continuously audit our security systems and when we find an attempted suspicious login we proactively lock the associated user account and direct the user to select a new password.”
See original story below.
Shortly after Disney+ was launched, hackers hijacked account credentials and made them available for purchase on forums, according to an investigation from ZDNet. Some of these stolen accounts are going for prices of $3 to $11 (even though an actual subscription is just $7 a month) while others are being handed out for free.
Within 24 hours of its Nov. 12 launch, Disney+ acquired 10 million customers, though it's only been made available thus far in Canada, the Netherlands, and the U.S.
As for people who have been unfortunate enough to be hacked, they report that hackers logged them out of their devices prior to changing the account's email and password, locking the owner out of the account entirely.
Hacking forums now offer thousands of accounts for sale, with ZDNet noting that some could be acquired for free.
By employing the services of a cyber-security researcher, the BBC also located "several hacked customer accounts for sale on the dark web." These stolen accounts come with info that shows what kind of account was signed up for, and also note when each account is set to expire.
Though some hacked users say their logins were unique, the BBC says researcher Jason Hill states that it looks like the accounts were hacked because people used the same passwords they had from different sites. More specifically, he says that hackers probably tested out the passwords from sites that had been previously breached and, if those passwords were successful, they took control of the account(s). This echoed a similar conclusion reached by ZDNet, though they added that logins could also have been compromised if users had been infected by malware or keylogging.
Disney+ has not yet put in two-factor authentication.
If this is something that alarms you, or something you think may impact you at some point down the line, you can read the whole thing here.