Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

10:00 AM
Matias Woloski
Matias Woloski
Connect Directly
E-Mail vvv

What Disney+ Can Teach Businesses About Customer Security

Businesses must prioritize customer protection by taking on some of the responsibility to prevent credential stuffing attacks through multipronged authentication and identity management.

As most people consumed plates piled high with traditional Thanksgiving favorites in late November, Disney+ found itself consumed with a different kind of stuffing: credential stuffing. 

Credential stuffing attacks can easily go unnoticed — and therefore provide an ideal opportunity for attackers to access and sell highly personal user information. Disney's subscription-based video streaming service learned this lesson the hard way after it was revealed that hackers had used credential stuffing to steal and sell thousands of Disney+ user login credentials just hours after the highly anticipated launch of the service.

How did a credential stuffing attack happen to Disney+, and why are these attacks happening more frequently? Let's find out.

How Did Disney+ Get Hit?
Credential stuffing events are pretty straightforward: Hackers gather a massive repository of pre-existing login credentials secured from hundreds, if not thousands, of previous security breaches — leading to nearly 8 billion exposed records — and then attempt to use them to log in to other online services and platforms via automated tools, called bots, trying combinations in rapid succession.

Password reuse is the basis for these attacks, given that 65% of Americans admit to using the same password for multiple websites, according to a 2019 Google poll. Aside from password reuse, the failure rate of stuffing attacks is low because launching an attack is easy — plus, subscription services with low price points and massive numbers of users are tempting targets. Once hackers gain access to an account, they also have access to just about any piece of a user's personal information they would need to carry out malicious activities, such as identity theft or credential sales on the Dark Web for as little as $3.

Reports verify that hackers obtained a large list of previously exposed user credentials and then used botnets to attempt to log in to Disney+ user accounts at massive scale using the credentials on the list. Because of the sheer number of account sign-ups that the platform acquired on its first day (approximately 10 million), the likelihood that at least some of these users were recycling passwords that had been unknowingly breached in the past for their Disney+ subscription was very high — which is why this particular attack was so successful.

Luckily, there are a few very tangible steps that businesses can take to ensure that user login credentials remain just that: the users.

Consider Multifactor Authentication
Given the volume of cyberattacks happening today, it's jarring to realize how few businesses use multifactor authentication (MFA) as part of their routine login process.

MFA, a security technique that requires a user to submit at least two forms of authentication in different credential categories, has been proven to make user accounts 99.9% less susceptible to stuffing attacks. With that kind of success, the customer protection that results from implementing an MFA mechanism into the login process is a no-brainer.

Secure Your Account-Linking
Many companies, such as Disney, serve as umbrella brands over several online services, giving users automatic access to these sites using the same login credentials. The convenience and ease of account linking can be a great boost for the user experience, as long as it's done correctly. To provide the consistent brand experience you need and want, you must ensure that the teams responsible for account linking and identity management as a whole are dedicated to security and will keep all associated credentials safe, wherever they are being used on your site(s) to avoid risking a breach or attack. 

How to Detect Anomalies
The two credential stuffing precautions mentioned above are great prevention methods that are used to lessen the possibility that a hacker can maliciously log in to an online account. And while these stop most credential stuffing attacks in their tracks, businesses should be aware there's still a chance a user's credentials can be compromised, as attacks are getting more sophisticated.

If this occurs, online providers should be prepared to confront an attacker while in the process of logging in to an account by using an identity management platform that can detect automated attacks. Anomaly detection features help companies recognize and understand what "normal" user behavior looks like for a particular account, and signal the organization when behavioral patterns that deviate from what it has defined as normal are detected. [Editor's note: The author's company is one of many that offer anomaly detection capabilities.] Once the organization has this information, it can quickly alert a user to change his or her password before it's too late.

As splintering of streaming platforms creates an even larger market, users will likely be tempted to reuse account passwords for two or more services for ease of access. While this is convenient, what they likely don't realize is that with every recycled password, the probability of becoming a victim of credential stuffing increases.

All businesses must prioritize customer protection by taking on some of the responsibility to prevent these attacks through multipronged authentication and identity management solutions. Although the volume of credential stuffing attacks will exponentially increase as streaming providers and other online services multiply, companies can ensure hackers' success rates do not by putting customers first — without compromising the user experience. 

Related Content:


Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "How to Prevent an AWS Cloud Bucket Data Leak."

Matias Woloski is the Co-founder and CTO at Auth0, where he builds and manages teams that solve the most complex and large-scale identity use cases for global enterprises. A former co-founder and leader at a boutique software consulting firm, Matias brings a strategic view to ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.