Scores of Disney+ accounts have been hijacked and put up for sale on hacker forums just days after the streaming service launched, an investigation has found.
A report by ZDNet revealed listings for hacked accounts on a host of different Dark Web Forums, with accounts sold for as little as $3. Prices for hacked accounts ranged between $3 and $11, with the higher range prices costing more than if one were to legitimately buy an account.
Since its launch on November 12th in the US, Canada and Netherlands, the streaming service has seen a torrent of new users signing up to watch shows including hotly-tipped Star Wars spinoff, The Mandalorian.
Within hours of the service going live, however, users complained en-masse about technical issues, with many left unable to stream their preferred shows or films.
According to ZDNet, many users complained that hackers were cracking into their accounts and logging them out of their devices. Users’ email and passwords have been changed, locking the original owner out of accounts.
A common recurring theme throughout the publication’s investigation was password security, it appears. Many users that ZDNet spoke to admitted they had reused passwords when signing up to Disney+, which suggests that hackers may have accessed accounts based on email and password leaks found online.
However, some said the passwords used on their Disney+ accounts were unique. “Other users said online that they did not, and had used passwords unique for their Disney+ accounts,” Catalin Campanu wrote.
Naturally, Disney+ recommends that users use unique passwords for their accounts to prevent such incidents occurring.
Hacking forums were flooded with ads offering accounts within just hours of the streaming service launching, the investigation found. But on a number of forums Disney+ credentials were also being offered for free by hackers to share among themselves and the community.
“When we looked into the lists, we found usernames and cleartext credentials. We emailed some users on two sites, and some replied, confirming that the credentials were theirs, and still active,” the report said.