No this isn’t just another Disney Sci-fi cartoon or movie narrative. Disney plus has been hacked in the real world. After months of anticipation, Disney launched its Netflix competitor Disney Plus (better known as Disney+) on November 12, 2019 in the U.S., Canada and Netherlands. Disney+ is a subscription-based video on-demand streaming service owned by the Walt Disney Direct-to-Consumer & the International division of The Walt Disney Company.
Unlike others, this Disney fairytale didn’t last for long. Hours after the launch, subscribers started complaining about not being able to log in to their Disney+ accounts. Soon the word spread out and after repeated reports of such incidences it was found that thousands of Disney Plus Accounts were up for sale on the dark web for costs ranging from US$3 per account to US$11 – which, is much more than the actual subscription cost of US$7 for a legit Disney+ account. Subscribers reported that hackers logged them out of all devices, and even changed the registered email address and password making the previous login credentials void.
This hacking incidence could very well haunt Disney, as back in March this year, Disney had urged its shareholders to vote against a cybersecurity and privacy proposal that would have led to a new privacy and cybersecurity metrics being linked to senior executive compensation. Owing to Disney’s appeal, just 26 percent of its shareholders voted “Yes” for the implementation; the rest were “No” votes cast by shareholders, board members—or by default. As of today, the ballot is sealed, and the proposal stands defeated. But could this be one of the curses behind this hacking?
Another interesting analysis pointed out the lack of Multi-Factor Authentication (MFA) security feature in Disney+ services. MFA is a method in which access is granted only after two or more authentication criterions are met while signing into a service. A unique password could be the first authentication layer, and the second layer could be a randomly generated code sent to the user’s mobile phone or registered email address, which is then entered during login process.
This has already been described at the beginning of the story in bold words – “Disney Plus Hacked”. But what Disney can do is have an alternative ending, perhaps taking a cue from one of their fairy tale stories, which have happy endings. How can they do it?
It needs to immediately roll-out a two/multi-factor authentication (2FA/MFA) feature to keep unaffected user accounts safe and secure. This also helps restrict the password reuse of affected users. Next, they need to provide 24/7 support to all affected users for regaining their account access control. In case this is not possible, then Disney must provide them an alternate Disney+ access. Disney also needs to strengthen and prioritize their cybersecurity and privacy policies because managing security and credibility of online content is no child’s play but a top priority for such digital content giants.
These measures don’t guarantee a “happily ever after” for Disney but it could be a step towards attaining it.
For the time being – That’s all Folks!