![](\"https:\/\/media.wired.com\/photos\/5dd58bba30ef2c0008e9e2b8\/master\/pass\/Security_Disneyplus-200406551-001.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Brian Barrett| Date: Wed, 20 Nov 2019 20:02:13 +0000<\/strong><\/p>\n Credential stuffing, where names and passwords leaked in previous breaches are reused, strikes again.<\/p>\n The reports came just a few days after Disney+ launched<\/a>: Thousands of the streaming service accounts were already up for sale on various hacking forums, at bargain prices. As of Wednesday, new victims were still taking to Twitter and other venues to express<\/a> their frustration that their accounts had been taken over. What\u2019s happening almost certainly isn\u2019t a hack in the way you\u2019d normally think of it. Instead, it appears to be a classic\u2014and regrettable\u2014case of what\u2019s known as credential stuffing<\/a>.<\/p>\n As ZDNet first reported<\/a>, compromised Disney+ accounts could be found on the dark web for as much as $11 a pop, or as little as, well, free. (Disney+ itself costs $7 per month, or less for a full-year plan.)<\/p>\n Disney rejects any suggestion that its systems have been hacked. \u201cWe have found no evidence of a security breach,\u201d the company said in a statement. \u201cWe continuously audit our security systems and when we find an attempted suspicious login we proactively lock the associated user account and direct the user to select a new password.\u201d<\/p>\n Taking megacorporations at their word, especially regarding cybersecurity issues, is rarely advisable<\/a>, but in this case you don\u2019t have to, because the simpler explanation is almost certainly the correct one.<\/p>\n \u201cIt certainly sounds like credential stuffing,\u201d says Troy Hunt, founder the website Have I Been Pwned, a repository of the billions of accounts that have been leaked across various breaches over the years. \u201cThis incident has all the hallmarks of what we\u2019ve been seeing over and over again.\u201d<\/p>\n For a technique that causes so many headaches\u2014Dunkin' Donuts, Nest, and OkCupid are all recent victims\u2014credential stuffing is relatively straightforward. You just take a set of user names and passwords that have leaked in previous breaches, throw them at a given service, and see which ones stick. Credential stuffing tools are readily available online that not only automate the process, but also make the login requests look legitimate\u2014sending them as trickles from multiple IP addresses rather than one suspicious, centrally located tsunami. And because people reuse passwords so frequently, it\u2019s not hard to get a significant number of matches. (Imagine you used the same key for your house, car, office, and gym locker. Once a robber makes a copy, they can break in anywhere.)<\/p>\n Hackers certainly have no shortage of material to pull from. Look no further than the recent discovery of what\u2019s known as Collections #1-5<\/a>, which made 2.2 billion user names and associated passwords freely available on hacker forums. The first batch alone had 773 million records<\/a>. It was effectively a breach of breaches, a compendium of data from large-scale hacks like those of LinkedIn, Myspace<\/a>, and Yahoo<\/a>.<\/p>\n The point isn\u2019t that hackers used that data specifically. It\u2019s that many of your user names and passwords have been compromised by now, and if you reuse them, you\u2019re setting yourself up for a headache. And even though some Disney+ users claim that they used a unique password, chances are they may have simply forgotten. \u201cIn my experience, many times when people have proclaimed the strength of their passwords, a bit of probing shows that\u2019s rarely the case,\u201d says Hunt. \u201cSo I\u2019d take those claims with a grain of salt.\u201d<\/p>\n This doesn\u2019t exculpate Disney entirely. The company links the accounts for its multiple services together, so if you lose Disney+ you also lose access to Disney World Resorts, Disney Vacation Club, ESPN, and so on. That needlessly widens your potential exposure. And the company could take the extra step of providing two-factor authentication<\/a>, although other streaming services like Netflix don\u2019t currently offer that either. Similarly, Disney could throw up more impediments to the credential stuffing process in the first place.<\/p>\n \u201cMost bad actors use scripts to perform credential stuffing attacks,\u201d says Ronnie Tokazowski, senior threat researcher with email security firm Agari. \u201cAdding something simple like captcha will help slow down or mitigate the login attempts by malicious actors.\u201d<\/p>\n Like so many things, it comes down to security versus convenience. If you don't want to wait for companies to act\u2014and let's face it, you don't\u2014take account security into your own hands and use a password manager<\/a>. The initial setup can be a pain, but at least when you\u2019re done you have confidence that all of your passwords are both unique and tough to crack. Losing access to your accounts is an unnecessary annoyance, and while Disney says that customer support<\/a> will help you reclaim it, you\u2019ve got better ways to spend your time.<\/p>\n That\u2019s not to blame the victims. That\u2019s just the world we\u2019re stuck with for now. You might as well do what you can to make life as difficult as possible for the bad guys.<\/p>\n