10 million people in Canada, the United States, and the Netherlands signed up for Disney+ at launch. The streaming platform was released on 12 November 2019. It features classic Disney content and exclusive releases.

Thousands of accounts were for sale on the dark web for as little as $3 within hours.

Disney+ is an attractive target for criminals. The large number of users and the untested streaming service presents an opportunity for criminals to exploit weak points in the service.

It is not known at this time how malicious actors gained access to Disney+. It is possible that criminals used compromised credentials from previous data breaches in what is known as a ‘spray phishing’ attack.

Spray phishing attacks are enabled by users who reuse credentials across accounts.

Disney+ Linked to Other Accounts

Disney+ allows users to link their accounts to other Disney services. Disney offers an online store and has online services for its recreation parks.

In these cases, a compromise of a user’s Disney+ account led to an enormous amount of personal data lost, possibly including financial information.

Disney’s Response

Disney has been urging affected customers DM (direct message) its @DisneyPlusHelp handle on twitter for assistance. Users have reported that despite reaching out, Disney has offered little assistance in recovering lost accounts.

At the time of writing, Disney has not notified users that their account has been compromised, nor prompted users to reset their passwords.

Disney+ does not offer two-factor authentication (2FA). 2FA could have prevented much of the data loss. 2FA is a security feature that requires users to enter a code sent to their device or use a token to prove their identity.