There are many Disney Plus accounts available for sale by fraudsters. Attackers use Credential Stuffing and Password Spraying attacks to gain access to these accounts.
CNBC has more details on the compromises.
What are Credential Stuffing and Password Spraying Attacks?
Credential Stuffing is when attackers take known email addresses and passwords from one site compromise and use them on another site. That is why is it very important to use different passwords for all of the systems that you use.
Password Spraying is when attackers try lots of email addresses with common passwords like “Pa$$w0rd” and try lots of them to see if any work. That is why you must not use common passwords!
What Can Disney Do?
Disney could be doing more including offering Multi Factor Authentication (MFA) as an option. MFA is when you login with something you know (password) and something you have (code from a phone). (If you are a cybersecurity professional don’t get pedantic with me. Yes, the definition is more complex but the intended audience for this post is not you.)
Multi Factor Authentication makes it much, much harder for a fraudster to compromise accounts because they need the second factor of authentication. For a service like Disney+, the return on investment would likely be too low to perpetuate the attack. (For your banking credentials, however, it may be worth an attacker’s time.)
What Can I do?
For Disney+ and all accounts you should:
- Use a complex password.
- Use an unique password for EVERY site. A password manager is a great tool for managing all of these passwords.
- Turn on Multi Factor Authentication when available.