Disney+ became available less than a week ago, yet thousands of hijacked accounts are already being offered for sale in cybercriminal marketplaces, and many users are reporting Disney+ account takeovers on social media, according to ZDNet.
Yet it’s not that Disney+ has been hacked. Far from it. Rather, it’s likely that the bulk of the account takeovers stem from password reuse, i.e. account owners using passwords already used for other accounts. (You should never reuse a password.)
If one of those other services suffers a data breach, then hackers can take those purloined passwords and use them in “credential stuffing” attacks to try to break into unbreached services.
Other Disney+ account hijacks may be the result of password-stealing malware, phishing scams or brute-force attacks against weak passwords and easy-to-answer password-reset questions.
Disney could have spared itself this public-relations mess had it let its users set up two-factor authentication (2FA), which would make it much harder for crooks to hijack accounts even with correct passwords.
But Netflix doesn’t offer 2FA either, and neither does Hulu, even though Amazon, Google, Facebook and dozens of other online services do. A cynic might wonder if that omission helps boost viewing audiences for streaming services by making it easier for friends and family members to share account passwords.
How to protect your Disney+ account
Until Disney changes its mind about 2FA, your Disney+ account is going to be a sitting duck for hackers.
Make sure your Disney+ password is strong — at least 12 characters long with a mix of upper- and lower-case letters, numbers and symbols — and unique, not used anywhere else.
If you get an email, social-media message or text message saying your Disney+ account is in danger, don’t click any links in the message. Instead, open a new browser tab and manually log into Disney+ that way.
To help both keep track of your passwords and create strong new ones, you should be using one of the best password managers.
This article originally ran on tomsguide.com.