The Disney+ Account Hijacking: Preventing Unauthorized Network Access with Threat Intelligence Tools

By Threat Intelligence Platform (TIP)
Threat Intelligence Platform (TIP)

What was supposed to be an exciting week after the launch of Disney+, a subscription-based video-on-demand (VOD) streaming service of Walt Disney Company, turned into a nightmare for thousands of users. Only hours after the said service's launch, reports of user account hijacking and selling on the Dark Web surfaced. Below is a quick roundup of the events:

Hackers getting hold of Disney+ usernames and passwords further places users' other accounts in danger for those who reuse passwords. A password used for Disney+ may be the same as that used for the person's email, Netflix, Twitter, and even online banking accounts. The only thing left for hackers to do is spend a little time trying to log in to other platforms using the same credentials.

Providers like Disney+ can better prevent breaches by ensuring that their IT infrastructure does not have gaping holes that attackers can easily find and abuse. One useful tool to check domain integrity is Threat Intelligence Platform (TIP).

Our Investigative Tool: Threat Intelligence Platform (TIP)

We ran the domain used by Disney+ on TIP and found several potential issues that might be worth investigating (note that we're not claiming that any of these issues played any part in the breach itself):

Apart from making sure that its domain is threat-free, Disney+ can also benefit from additional checks on users by using IP geolocation as a warning system. Users' geolocations can be cross-checked with their physical addresses on record as part of digital rights management (DRM) systems. Users whose IP geolocations don't match their addresses can undergo another layer of validation before they are granted access. That way, subscribers can be assured that only authorized users have access to their accounts.

Additionally, to avoid other data leaks, the cybersecurity team in charge of securing Disney+ as a service may want to register domain names that could be part of cybersquatting schemes. Using Brand Alert API at full-product capacity revealed dozens of possible typo versions of the actual domain (i.e., "") among which:

At the time of writing, one of the domains above (which we prefer note to cite as we cannot confirm it's meant to be used for malicious ends) has been registered with a date suspiciously close to the launch of Disney+, as shown in the following WHOIS record extract:

* * *

Account hijacking is not unheard of, but Disney+'s case caused so much uproar because the attack occurred mere hours after the service's launch. The company could have gone to market prematurely, without extensive consideration of possible security threats. It could also mean that the attackers have been lurking behind the scenes long before the attack.

Either way, organizations should match cyber attackers' proactivity by looking at their entire potential attack surface and considering all possible vectors. Getting a better perspective of where attacks may come from by using threat intelligence tools can turn decisive to prevent damage.

Related topics: Cybercrime, Domain Names, Networks, Whois