Tech

Hacked Disney+ accounts are reportedly being sold for as little as $3

Key Points
  • Thousands of Disney+ user accounts have been stolen by hackers and put up for sale on the dark web, according to multiple reports.
  • Just hours after the streaming service was rolled out, hackers hijacked user accounts and were either offering them for free on hacking forums or selling them for prices between $3 to $11, news site ZDNet reported in its investigation.
  • A spokesperson for Disney told CNBC the company "takes the privacy and security of our users' data very seriously and there is no indication of a security breach on Disney+."
In this photo illustration, the Disney + logo is displayed on the screen of an Apple MacBook Pro computer on November 08, 2019 in Paris, France.
Chesnot | Getty Images

Thousands of Disney+ user accounts have been stolen by hackers and put up for sale on the dark web, according to multiple reports.

Disney+ is the new subscription-based streaming service from Disney that was officially launched last Tuesday.

Just hours after the service was rolled out, hackers hijacked user accounts and were either offering them for free on hacking forums or selling them for prices between $3 to $11, according to investigations by news site ZDNet.

VIDEO3:0903:09
Hacked Disney+ accounts are reportedly being sold for as little as $3

Users said hackers were accessing their Disney+ accounts, logging them out of their devices and then changing the email and password associated with that account, according to ZDNet.

The BBC also reported that it found hacked customer accounts for sale on the dark web.

A spokesperson for Disney told CNBC the company "takes the privacy and security of our users' data very seriously and there is no indication of a security breach on Disney+."

It is likely that some users may have used the same email and password for multiple sites, including Disney+, and their credentials could've been stolen during previous security breaches at other companies.

A cybersecurity expert told CNBC that when hackers obtain large databases, they use various means to take over an account, including something known as "credential stuffing."

It "happens when the attacker automates the process of trying usernames and password on a targeted site," said Etay Maor, chief security officer at cyberintelligence company IntSights. He explained that such a method is powerful because "many people use the same password on multiple websites. This allows the attacker to 'test' and see if the password from the obtained database was used on the targeted site."

VIDEO5:3805:38
Swisher: Disney finally hits mark after two decades

But, ZDNet reported users who have used unique passwords also had their accounts compromised.

Disney+ is currently available in a few selected countries including the United States and Canada. It touts an expansive library of content from Disney shows and movies, Pixar, Marvel, Lucasfilm as well as new original shows being produced for the service, such as the "Star Wars" spin-off series "The Mandalorian."

It is the latest addition in an increasingly crowded streaming landscape, with the likes of Netflix, Hulu, Amazon Prime, and others.

Shares of Disney rose more than 2 percent Monday on the New York Stock Exchange and are less than $3 off their 52-week high.

Read ZDNet's full investigation about stolen Disney+ accounts here.