Some customers who signed up for Walt Disney Co.’s new Disney+ streaming service have seen their usernames and passwords sold online to third parties and have been locked out of their newly opened accounts.
Disney said its system hasn’t been hacked and that it’s working to quickly address the issue. It’s possible that hackers obtained the names and passwords from data breaches at other companies.
“Disney takes the privacy and security of our users’ data very seriously, and there is no indication of a security breach on Disney+,” the company said in a statement.
Disney+ is the company’s effort to build a direct connection to consumers, as many people shift to watching movies and shows on demand rather than on cable and satellite TV. The $7-a-month service launched a week ago and quickly signed up more than 10 million customers, a number far exceeding predictions.
Still, the debut was marred by many complaints from customers who couldn’t log on or had trouble watching programs. But the number of gripes collected by the website Downdetector has dropped sharply over the past week and now amounts to just a few dozen.
Speaking at the Code Media conference in Los Angeles on Tuesday, Disney’s direct-to-consumer chief blamed the initial troubles on faulty coding in the app that the company is working to fix. Kevin Mayer said Disney executives were “very surprised” by the number of people who subscribed.
The sign-up process was complicated, he said, because some customers already had subscriptions to Disney services such as Hulu and wanted to add the new one. Many customers also forgot they already has Disney accounts.
“Not only was it huge demand, but the complexity,” Mayer said. “If you were a current subscriber, how does it work? Those were legitimate questions.”
While Disney has long collected customers’ names and passwords for its theme parks and online games, the expansion into online video on a global basis brings the potential for more technology snafus.
ZDNet reported over the weekend that Disney+ users’ accounts were being put up for sale on hacking forums within hours of the service’s launch at prices of $3 to $11 each. Some customers reported they had used old passwords, but others said they hadn’t, according to the website.
While there may be few thousand compromised Disney accounts, that’s small compared with the hundreds of thousands of usernames and passwords on the black market hijacked from platforms like Hulu, Netflix and HBO, said Andrei Barysevich, chief executive officer and co-founder of the security firm Gemini Advisory.
Reusing names and password combinations from previous attacks at other sites can be a “very effective method” for hackers, he said.
“This is one of the biggest problems, not just streaming services, but pretty much every e-commerce business has been battling for the last couple of years, because there’s an abundance of compromised emails and passwords on the dark web,” Barysevich said.
At Code Media, a conference for media executives, operators of rival services praised the Disney+ launch. David Nevins, chief creative officer at CBS Corp., called the sign-ups “impressive,” while AT&T Inc. President John Stankey said that while Disney+ “was off to a good start,” keeping customers happy and subscribed will be an ongoing issue.
“How many of the 10 million customers are there six months from now?” Stankey asked. “It’s managing churn.”