Quick Links

Thousands of Disney+ accounts have been "hacked" and are for sale online. Criminals are selling login details for compromised accounts from between $3 and $11. Here's how it likely happened---and how you can protect your Disney+ account.

How Are Disney+ Accounts Being Hacked?

Disney told Variety it's seen "no evidence of a security breach" on its servers and that only a "small percentage" of its over 10 million users have had their login details compromised and leaked.

But, if Disney's servers haven't been compromised, how are there thousands of hacked accounts?

Once again, the culprit appears to be password reuse. If you reuse the same password on multiple websites, your login details have probably already leaked from another site. Now, all a "hacker" has to do is take those already compromised login details and try them on other websites.

For example, let's say you log in with "you@example.com" and the password "SuperSecurePassword" everywhere. Many websites have been breached in the past few years, so "you@example.com / SuperSecurePassword" is probably in one or more databases of leaked credentials. When Disney+ launches, you sign up with your usual email address and password. Hackers try leaked usernames and passwords on Disney+ and other services and gain entry.

We don't know for sure that this is how those accounts were compromised, but that's how accounts are generally compromised. Another possible culprit could be key-logging malware that runs in the background on people's computers and captures their credentials. At any rate, those end-user security problems are the most likely cause---not a breach of Disney's servers.

Password reuse is a serious problem online. A Google / Harris Poll survey from earlier in 2019 found that 52% of people use the same password for multiple accounts, and 13% reuse the same password everywhere. Only 35% of people polled say they use unique passwords everywhere.

Related: How Attackers Actually "Hack Accounts" Online and How to Protect Yourself

How to Protect Your Disney+ Account

Generating a strong password for Disney+ with the 1Password X password manager in Google Chrome.

Use a unique password for your Disney+ account---and all your other accounts online. It's difficult (arguably impossible!) to remember so many strong, unique passwords. That's why we recommend using a password manager. You remember one strong master password to unlock your secure password vault. Your password manager automatically creates strong passwords for your online accounts and fills them in for you.

Change your weak, reused passwords to strong, unique ones. Let a password manager do the work and save your mental energy.

We're not pushing any particular password manager here. We like 1Password and LastPass. Dashlane has a nice interface. Bitwarden and KeePass are open-source. Your web browser even has a built-in password manager---while we recommend against using those built-in password managers, they're better than nothing.

You can check whether your password has appeared in any known data breaches with a service like Have I Been Pwned? Password managers like 1Password and LastPass will also check if any passwords you're using have been breached. Don't have a false sense of security, though: Even if your password doesn't appear in this database, it may still have been breached.

The usual online security tips apply, too: Be sure you're running antimalware software on your Windows PC, keep your software up-to-date, and enable two-factor authentication for sensitive accounts like your email. That two-step security will help protect you even if someone captures your username and password.

Related: Why You Should Use a Password Manager, and How to Get Started

Disney Does Look For Suspicious Logins

Disney did also tell Variety that "when we find an attempted suspicious login, we proactively lock the associated user account and direct the user to select a new password." If Disney is on top of things, those compromised Disney+ account details may not be a good value for criminals---even at just $3.

If you're locked out, Disney says you should contact its customer service.

What Disney Should Do to Protect Its Users

Disney+ iPhone App Logo

While Disney+ is likely not at fault for these breaches, there's definitely more Disney could do. Disney could offer two-step authentication, ensuring you have to provide an additional code---possibly one sent to your phone or generated by an app---before signing in.

Sure, this would protect people who reused passwords everywhere, but those people probably wouldn't enable it. Two-step authentication is a great option we want to see everywhere, but it's not a solution for everyone.

Beyond that, Disney could automatically search for leaked username and password combinations and proactively inform DIsney+ users, asking them to change their usernames and passwords. Netflix has done this in the past.

Ultimately, however, Disney+ isn't alone here. Criminals are selling credentials for Netflix accounts on the dark web, too. Poor password security practices are a risk to many different online accounts. That's why the tech industry keeps talking about killing passwords.

Related: What is a "Dark Web Scan" and Should You Use One?