Vice (Motherboard): Tools for breaking into Disney+ accounts have been online for months.

Deleted member 33 · Nov 18, 2019

Vice posted this article.

One of the takeaways is that users should avoid using the same password across multiple services (Netflix, Uber, Hulu, Disney).

But this should not come as a surprise. Motherboard found that, for months, hackers have been giving away so-called "configs"—files that control special software for breaking into accounts en masse—designed to crack Disney+.

"DISNEY+ CONFIG," one thread on a hacking forum focused on breaking into online accounts reads. The author created the thread and shared the config itself two months ago, according to the forum.

Hackers load a config into a tool such as Sentry, which churns through combinations of email addresses and passwords in the hope that a user has shared one password across multiple services. Configs exist for all sorts of online services that may be attractive to hackers, such as Uber or Netflix. Hackers will typically use the software in conjunction with proxies, which route their traffic through different points before arriving at the Disney+ login portal, so Disney doesn't block the hackers.

Disney did not immediately respond to a request for comment.

Source: https://www.vice.com/en_us/article/zmjdwa/config-to-hack-disney-plus-accounts

Deleted member 33 · Nov 18, 2019

Also, thousands of Disney+ accounts are already for sale on hacking forums.

https://www.zdnet.com/article/thous...ounts-are-already-for-sale-on-hacking-forums/

SoH · Nov 18, 2019

Nothing about this is specific to a lacking of security with Disney+, but if we are taking the sudden rise of a popular streaming service to remind people not to share passwords across services then I'm on board.

Maximus · Nov 18, 2019

It is only a concern if you have reused passwords and your data has been breached on another platform.

Musubi · Nov 18, 2019

Common sense wins the day. Use unique passwords for all of your accounts.

Finale Fireworker · Nov 18, 2019

SmiteOfHand said:
Nothing about this is specific to a lacking of security with Disney+, but if we are taking the sudden rise of a popular streaming service to remind people not to share passwords across services then I'm on board.

Maximus said:
It is only a concern if you have reused passwords and your data has been breached on another platform.

The article emphasizes that it is affecting people with unique passwords.

Two users who spoke with ZDNet on the condition we do not share their names admitted that they reused passwords. However, other users said online that they did not, and had used passwords unique for their Disney+ accounts.

This suggests that in some cases hackers gained access to accounts by using email and password combos leaked at other sites, while in other cases the Disney+ credentials might have been obtained from users infected with keylogging or info-stealing malware.

But having a keylogger isn't Disney's fault, I guess.

jediyoshi · Nov 18, 2019

"Hackers load a config into a tool such as Sentry, which churns through combinations of email addresses and passwords in the hope that a user has shared one password across multiple services."

Eh

tangeu · Nov 18, 2019

Soooo....the same tools to break into any online account?

Arctic Chris · Nov 18, 2019

A different simple password for every site is still a simple password. I do recommend something like 1Password to generate complex and unique passwords for every site.

Disney could help matters by making 2FA available for users interested in additional account security.

SoH · Nov 18, 2019

Finale Fireworker said:
The article emphasizes that it is affecting people with unique passwords.

But having a keylogger isn't Disney's fault, I guess.

Good eye. Didn't click through the referenced ZDnet article. Though agreed, still no sign of any failing on Disney's part.

Skyejack · Nov 18, 2019

Are hackers really that desperate to watch cartoons and men in tights?

MPrice · Nov 18, 2019

jediyoshi said:
"Hackers load a config into a tool such as Sentry, which churns through combinations of email addresses and passwords in the hope that a user has shared one password across multiple services."

Eh

Lmao not even Brute Force but a dictionary attack? Vice should be ashamed for even posting this.

ReAxion · Nov 18, 2019

Skyejack said:
Are hackers really that desperate to watch cartoons and men in tights?

a) they're giving them away and b) if for personal use, what is your impression of a hacker's entertainment consumption?

Skyejack · Nov 18, 2019

ReAxion said:
a) they're giving them away and b) if for personal use, what is your impression of a hacker's entertainment consumption?

What you're describing isn't a hacker. It's sounds more like a kid running a script.

Krauser Kat · Nov 18, 2019

use a different password for everyservice. last pass or 1 password is your friends

ReAxion · Nov 18, 2019

Skyejack said:
What you're describing isn't a hacker. It's sounds more like a kid running a script.

i mean, I'm not describing anything, Vice is, but you probably already know media outlets never make a distinction - everything is hacking.

Falcon511 · Nov 18, 2019

Thank god for password managers.

Syriel · Nov 18, 2019

Maximus said:
It is only a concern if you have reused passwords and your data has been breached on another platform.

Ashhong · Nov 18, 2019

Wait why don't they have 2FA?

TarpitCarnivore · Nov 18, 2019

This is just a brute force tool aimed at Disney+. Vice trying to go all "WOO TOOLS TO HACK" when this shit is nothing special.

Barls · Nov 18, 2019

Ashhong said:
Wait why don't they have 2FA?

Yeah I would love to see this, but watching the backlash to "Disney blocking account sharing" would be quite funny.

Ashhong · Nov 18, 2019

Barls said:
Yeah I would love to see this, but watching the backlash to "Disney blocking account sharing" would be quite funny.

Would people say that? Lol it wouldn't even block any sharing

Spectromixer · Nov 18, 2019

Ashhong said:
Wait why don't they have 2FA?

They should have it but Amazon is the only streaming service with 2FA.

mrmoose · Nov 18, 2019

Ashhong said:
Wait why don't they have 2FA?

Why don't they have a progress bar for stuff you're watching?

They don't even have near feature parity to Netflix, let alone putting in something Netflix, Hulu, etc. don't have.

The only reason I think Amazon has it is because you're reusing your amazon store account which has it.

Even so, it is way, way better to learn that you are using a password that's been compromised because someone logged into this service then, say, a bank or something. A great reminder for everyone to change all their passwords while not directly harming something essential.

Barls · Nov 18, 2019

Ashhong said:
Would people say that? Lol it wouldn't even block any sharing

They would, even though you are right, it wouldn't.
It wouldn't block it, but almost any implementation of 2FA would make logging in without access to the phone, email or authentication app incredibly annoying. Imagine having to text your friend, "Hey, just got a new Roku, can you send me that Disney code in the next 5 minutes?"
Then Disney decided to make you re-auth every device every week or something in the name of security...

Falchion · Nov 20, 2019

Yikes, I'm pretty sure I have a different password but I'll double check now.

Vice (Motherboard): Tools for breaking into Disney+ accounts have been online for months.

Deleted member 33

Account closed at user request

Deleted member 33

Account closed at user request

SoH

Maximus

Musubi

Unshakable Resolve - Prophet of Truth

Finale Fireworker

Love each other or die trying.

jediyoshi

tangeu

Arctic Chris

SoH

Skyejack

Attempted to circumvent ban with alt account

MPrice

Alt account

ReAxion

Skyejack

Attempted to circumvent ban with alt account

Krauser Kat

ReAxion

Falcon511

Syriel

Ashhong

TarpitCarnivore

Barls

Ashhong

Spectromixer

mrmoose

Barls

Falchion