Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

10:00 AM
Matias Woloski
Matias Woloski
Connect Directly
E-Mail vvv

What Disney+ Can Teach Businesses About Customer Security

Businesses must prioritize customer protection by taking on some of the responsibility to prevent credential stuffing attacks through multipronged authentication and identity management.

As most people consumed plates piled high with traditional Thanksgiving favorites in late November, Disney+ found itself consumed with a different kind of stuffing: credential stuffing. 

Credential stuffing attacks can easily go unnoticed — and therefore provide an ideal opportunity for attackers to access and sell highly personal user information. Disney's subscription-based video streaming service learned this lesson the hard way after it was revealed that hackers had used credential stuffing to steal and sell thousands of Disney+ user login credentials just hours after the highly anticipated launch of the service.

How did a credential stuffing attack happen to Disney+, and why are these attacks happening more frequently? Let's find out.

How Did Disney+ Get Hit?
Credential stuffing events are pretty straightforward: Hackers gather a massive repository of pre-existing login credentials secured from hundreds, if not thousands, of previous security breaches — leading to nearly 8 billion exposed records — and then attempt to use them to log in to other online services and platforms via automated tools, called bots, trying combinations in rapid succession.

Password reuse is the basis for these attacks, given that 65% of Americans admit to using the same password for multiple websites, according to a 2019 Google poll. Aside from password reuse, the failure rate of stuffing attacks is low because launching an attack is easy — plus, subscription services with low price points and massive numbers of users are tempting targets. Once hackers gain access to an account, they also have access to just about any piece of a user's personal information they would need to carry out malicious activities, such as identity theft or credential sales on the Dark Web for as little as $3.

Reports verify that hackers obtained a large list of previously exposed user credentials and then used botnets to attempt to log in to Disney+ user accounts at massive scale using the credentials on the list. Because of the sheer number of account sign-ups that the platform acquired on its first day (approximately 10 million), the likelihood that at least some of these users were recycling passwords that had been unknowingly breached in the past for their Disney+ subscription was very high — which is why this particular attack was so successful.

Luckily, there are a few very tangible steps that businesses can take to ensure that user login credentials remain just that: the users.

Consider Multifactor Authentication
Given the volume of cyberattacks happening today, it's jarring to realize how few businesses use multifactor authentication (MFA) as part of their routine login process.

MFA, a security technique that requires a user to submit at least two forms of authentication in different credential categories, has been proven to make user accounts 99.9% less susceptible to stuffing attacks. With that kind of success, the customer protection that results from implementing an MFA mechanism into the login process is a no-brainer.

Secure Your Account-Linking
Many companies, such as Disney, serve as umbrella brands over several online services, giving users automatic access to these sites using the same login credentials. The convenience and ease of account linking can be a great boost for the user experience, as long as it's done correctly. To provide the consistent brand experience you need and want, you must ensure that the teams responsible for account linking and identity management as a whole are dedicated to security and will keep all associated credentials safe, wherever they are being used on your site(s) to avoid risking a breach or attack. 

How to Detect Anomalies
The two credential stuffing precautions mentioned above are great prevention methods that are used to lessen the possibility that a hacker can maliciously log in to an online account. And while these stop most credential stuffing attacks in their tracks, businesses should be aware there's still a chance a user's credentials can be compromised, as attacks are getting more sophisticated.

If this occurs, online providers should be prepared to confront an attacker while in the process of logging in to an account by using an identity management platform that can detect automated attacks. Anomaly detection features help companies recognize and understand what "normal" user behavior looks like for a particular account, and signal the organization when behavioral patterns that deviate from what it has defined as normal are detected. [Editor's note: The author's company is one of many that offer anomaly detection capabilities.] Once the organization has this information, it can quickly alert a user to change his or her password before it's too late.

As splintering of streaming platforms creates an even larger market, users will likely be tempted to reuse account passwords for two or more services for ease of access. While this is convenient, what they likely don't realize is that with every recycled password, the probability of becoming a victim of credential stuffing increases.

All businesses must prioritize customer protection by taking on some of the responsibility to prevent these attacks through multipronged authentication and identity management solutions. Although the volume of credential stuffing attacks will exponentially increase as streaming providers and other online services multiply, companies can ensure hackers' success rates do not by putting customers first — without compromising the user experience. 

Related Content:


Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "How to Prevent an AWS Cloud Bucket Data Leak."

Matias Woloski is the Co-founder and CTO at Auth0, where he builds and manages teams that solve the most complex and large-scale identity use cases for global enterprises. A former co-founder and leader at a boutique software consulting firm, Matias brings a strategic view to ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-15
Wfilter ICF 5.0.117 contains a cross-site scripting (XSS) vulnerability. An attacker in the same LAN can craft a packet with a malicious User-Agent header to inject a payload in its logs, where an attacker can take over the system by through its plugin-running function.
PUBLISHED: 2021-04-15
Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. The Stored XSS exists in the Pi-hole Admin portal, which can be exploited by the malicious actor with the network access to DNS server. See the referenced GitHub security advisory for patch details.
PUBLISHED: 2021-04-15
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
PUBLISHED: 2021-04-15
LightCMS v1.3.5 contains a remote code execution vulnerability in /app/Http/Controllers/Admin/NEditorController.php during the downloading of external images.
PUBLISHED: 2021-04-15
An authentication flaw was found in ceph in versions before 14.2.20. When the monitor handles CEPHX_GET_AUTH_SESSION_KEY requests, it doesn't sanitize other_keys, allowing key reuse. An attacker who can request a global_id can exploit the ability of any user to request a global_id previously associa...