What was supposed to be an exciting week after the launch of Disney+, a subscription-based video-on-demand (VOD) streaming service of Walt Disney Company, turned into a nightmare for thousands of users. Only hours after the said service’s launch, reports of user account hijacking and selling on the Dark Web surfaced. Below is a quick roundup of the events:

• Disney+ was launched on November 12, 2019, in the U.S., Canada, and the Netherlands.
• 10 million customers reportedly signed up for the service in the first 24 hours alone.
• Technical issues plagued the users who complained that they could not stream the videos they wanted. They were still unaware of the more vexing problem.
• Less than 24 hours after the launch, users began complaining on Twitter and Reddit that their accounts had been hacked.
• The hackers changed some of the users’ email addresses and passwords and sold these new credentials on Dark Web forums for US$3—11 per set.
• Other hackers did not even change users’ login credentials, but still posted them so people who wanted to could stream shows free of charge. Disney+ allows account sharing, so owners may not know that others have been using their accounts.

Hackers getting hold of Disney+ usernames and passwords further places users’ other accounts in danger for those who reuse passwords. A password used for Disney+ may be the same as that used for the person’s email, Netflix, Twitter, and even online banking accounts. The only thing left for hackers to do is spend a little time trying to log in to other platforms using the same credentials.

Providers like Disney+ can better prevent breaches by ensuring that their IT infrastructure does not have gaping holes that attackers can easily find and abuse. One useful tool to check domain integrity is Threat Intelligence Platform (TIP).

Our Investigative Tool: Threat Intelligence Platform (TIP)

We ran the domain used by Disney+ on TIP and found several potential issues that might be worth investigating (note that we’re not claiming that any of these issues played any part in the breach itself):

• Our analysis of the “disneyplus.com” domain revealed that it has redirects. While the company’s web administrator may have enabled these, it’s still worth checking and making sure users are not brought to harmful sites.
• Disney+ may also want to configure its site’s HTTP Public Key Pinning (HPKP) headers, as this would allow resisting impersonation by attackers using mis-issued or fraudulent certificates. That way, only trusted client browsers with the right set of public keys can connect to its domain.
• Disney+ can also consider beefing up its Domain Name System (DNS)-based authentication by configuring its Transport Layer Security Authentication (TLSA) settings.
• The tool also revealed a mismatch in the domain’s mail exchange (MX) server records. This could potentially lead to failure to receive email messages, which can put a damper on its communication with users and other stakeholders.

Apart from making sure that its domain is threat-free, Disney+ can also benefit from additional checks on users by using IP geolocation as a warning system. Users’ geolocations can be cross-checked with their physical addresses on record as part of digital rights management (DRM) systems. Users whose IP geolocations don’t match their addresses can undergo another layer of validation before they are granted access. That way, subscribers can be assured that only authorized users have access to their accounts.

Additionally, to avoid other data leaks, the cybersecurity team in charge of securing Disney+ as a service may want to register domain names that could be part of cybersquatting schemes. Using Brand Alert API at full-product capacity revealed dozens of possible typo versions of the actual domain (i.e., “disneyplus.com”) among which:

• dfisneyplus[.]com
• diasneyplus[.]com
• dicneyplus[.]com
• didsneyplus[.]com
• dieneyplus[.]com
• diosneyplus[.]com
• disbneyplus[.]com
• disineyplus[.]com
• disnedyplus[.]com

At the time of writing, one of the domains above (which we prefer note to cite as we cannot confirm it’s meant to be used for malicious ends) has been registered with a date suspiciously close to the launch of Disney+, as shown in the following WHOIS record extract:

* * *

Account hijacking is not unheard of, but Disney+‘s case caused so much uproar because the attack occurred mere hours after the service’s launch. The company could have gone to market prematurely, without extensive consideration of possible security threats. It could also mean that the attackers have been lurking behind the scenes long before the attack.

Either way, organizations should match cyber attackers’ proactivity by looking at their entire potential attack surface and considering all possible vectors. Getting a better perspective of where attacks may come from by using threat intelligence tools can turn decisive to prevent damage.