Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

3/2/2020
10:00 AM
Matias Woloski
Matias Woloski
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

What Disney+ Can Teach Businesses About Customer Security

Businesses must prioritize customer protection by taking on some of the responsibility to prevent credential stuffing attacks through multipronged authentication and identity management.

As most people consumed plates piled high with traditional Thanksgiving favorites in late November, Disney+ found itself consumed with a different kind of stuffing: credential stuffing. 

Credential stuffing attacks can easily go unnoticed — and therefore provide an ideal opportunity for attackers to access and sell highly personal user information. Disney's subscription-based video streaming service learned this lesson the hard way after it was revealed that hackers had used credential stuffing to steal and sell thousands of Disney+ user login credentials just hours after the highly anticipated launch of the service.

How did a credential stuffing attack happen to Disney+, and why are these attacks happening more frequently? Let's find out.

How Did Disney+ Get Hit?
Credential stuffing events are pretty straightforward: Hackers gather a massive repository of pre-existing login credentials secured from hundreds, if not thousands, of previous security breaches — leading to nearly 8 billion exposed records — and then attempt to use them to log in to other online services and platforms via automated tools, called bots, trying combinations in rapid succession.

Password reuse is the basis for these attacks, given that 65% of Americans admit to using the same password for multiple websites, according to a 2019 Google poll. Aside from password reuse, the failure rate of stuffing attacks is low because launching an attack is easy — plus, subscription services with low price points and massive numbers of users are tempting targets. Once hackers gain access to an account, they also have access to just about any piece of a user's personal information they would need to carry out malicious activities, such as identity theft or credential sales on the Dark Web for as little as $3.

Reports verify that hackers obtained a large list of previously exposed user credentials and then used botnets to attempt to log in to Disney+ user accounts at massive scale using the credentials on the list. Because of the sheer number of account sign-ups that the platform acquired on its first day (approximately 10 million), the likelihood that at least some of these users were recycling passwords that had been unknowingly breached in the past for their Disney+ subscription was very high — which is why this particular attack was so successful.

Luckily, there are a few very tangible steps that businesses can take to ensure that user login credentials remain just that: the users.

Consider Multifactor Authentication
Given the volume of cyberattacks happening today, it's jarring to realize how few businesses use multifactor authentication (MFA) as part of their routine login process.

MFA, a security technique that requires a user to submit at least two forms of authentication in different credential categories, has been proven to make user accounts 99.9% less susceptible to stuffing attacks. With that kind of success, the customer protection that results from implementing an MFA mechanism into the login process is a no-brainer.

Secure Your Account-Linking
Many companies, such as Disney, serve as umbrella brands over several online services, giving users automatic access to these sites using the same login credentials. The convenience and ease of account linking can be a great boost for the user experience, as long as it's done correctly. To provide the consistent brand experience you need and want, you must ensure that the teams responsible for account linking and identity management as a whole are dedicated to security and will keep all associated credentials safe, wherever they are being used on your site(s) to avoid risking a breach or attack. 

How to Detect Anomalies
The two credential stuffing precautions mentioned above are great prevention methods that are used to lessen the possibility that a hacker can maliciously log in to an online account. And while these stop most credential stuffing attacks in their tracks, businesses should be aware there's still a chance a user's credentials can be compromised, as attacks are getting more sophisticated.

If this occurs, online providers should be prepared to confront an attacker while in the process of logging in to an account by using an identity management platform that can detect automated attacks. Anomaly detection features help companies recognize and understand what "normal" user behavior looks like for a particular account, and signal the organization when behavioral patterns that deviate from what it has defined as normal are detected. [Editor's note: The author's company is one of many that offer anomaly detection capabilities.] Once the organization has this information, it can quickly alert a user to change his or her password before it's too late.

As splintering of streaming platforms creates an even larger market, users will likely be tempted to reuse account passwords for two or more services for ease of access. While this is convenient, what they likely don't realize is that with every recycled password, the probability of becoming a victim of credential stuffing increases.

All businesses must prioritize customer protection by taking on some of the responsibility to prevent these attacks through multipronged authentication and identity management solutions. Although the volume of credential stuffing attacks will exponentially increase as streaming providers and other online services multiply, companies can ensure hackers' success rates do not by putting customers first — without compromising the user experience. 

Related Content:

 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "How to Prevent an AWS Cloud Bucket Data Leak."

Matias Woloski is the Co-founder and CTO at Auth0, where he builds and manages teams that solve the most complex and large-scale identity use cases for global enterprises. A former co-founder and leader at a boutique software consulting firm, Matias brings a strategic view to ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Google Cloud Debuts Threat-Detection Service
Robert Lemos, Contributing Writer,  9/23/2020
Shopify's Employee Data Theft Underscores Risk of Rogue Insiders
Kelly Sheridan, Staff Editor, Dark Reading,  9/23/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-24565
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25770
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25771
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25772
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25773
PUBLISHED: 2020-09-29
A vulnerability in the Trend Micro Apex One ServerMigrationTool component could allow an attacker to execute arbitrary code on affected products. User interaction is required to exploit this vulnerability in that the target must import a corrupted configuration file.