As most people consumed plates piled high with traditional Thanksgiving favorites in late November, Disney+ found itself consumed with a different kind of stuffing: credential stuffing.
Credential stuffing attacks can easily go unnoticed — and therefore provide an ideal opportunity for attackers to access and sell highly personal user information. Disney's subscription-based video streaming service learned this lesson the hard way after it was revealed that hackers had used credential stuffing to steal and sell thousands of Disney+ user login credentials just hours after the highly anticipated launch of the service.
How did a credential stuffing attack happen to Disney+, and why are these attacks happening more frequently? Let's find out.
How Did Disney+ Get Hit?
Credential stuffing events are pretty straightforward: Hackers gather a massive repository of pre-existing login credentials secured from hundreds, if not thousands, of previous security breaches — leading to nearly 8 billion exposed records — and then attempt to use them to log in to other online services and platforms via automated tools, called bots, trying combinations in rapid succession.
Password reuse is the basis for these attacks, given that 65% of Americans admit to using the same password for multiple websites, according to a 2019 Google poll. Aside from password reuse, the failure rate of stuffing attacks is low because launching an attack is easy — plus, subscription services with low price points and massive numbers of users are tempting targets. Once hackers gain access to an account, they also have access to just about any piece of a user's personal information they would need to carry out malicious activities, such as identity theft or credential sales on the Dark Web for as little as $3.
Reports verify that hackers obtained a large list of previously exposed user credentials and then used botnets to attempt to log in to Disney+ user accounts at massive scale using the credentials on the list. Because of the sheer number of account sign-ups that the platform acquired on its first day (approximately 10 million), the likelihood that at least some of these users were recycling passwords that had been unknowingly breached in the past for their Disney+ subscription was very high — which is why this particular attack was so successful.
Luckily, there are a few very tangible steps that businesses can take to ensure that user login credentials remain just that: the users.
Consider Multifactor Authentication
Given the volume of cyberattacks happening today, it's jarring to realize how few businesses use multifactor authentication (MFA) as part of their routine login process.
MFA, a security technique that requires a user to submit at least two forms of authentication in different credential categories, has been proven to make user accounts 99.9% less susceptible to stuffing attacks. With that kind of success, the customer protection that results from implementing an MFA mechanism into the login process is a no-brainer.
Secure Your Account-Linking
Many companies, such as Disney, serve as umbrella brands over several online services, giving users automatic access to these sites using the same login credentials. The convenience and ease of account linking can be a great boost for the user experience, as long as it's done correctly. To provide the consistent brand experience you need and want, you must ensure that the teams responsible for account linking and identity management as a whole are dedicated to security and will keep all associated credentials safe, wherever they are being used on your site(s) to avoid risking a breach or attack.
How to Detect Anomalies
The two credential stuffing precautions mentioned above are great prevention methods that are used to lessen the possibility that a hacker can maliciously log in to an online account. And while these stop most credential stuffing attacks in their tracks, businesses should be aware there's still a chance a user's credentials can be compromised, as attacks are getting more sophisticated.
If this occurs, online providers should be prepared to confront an attacker while in the process of logging in to an account by using an identity management platform that can detect automated attacks. Anomaly detection features help companies recognize and understand what "normal" user behavior looks like for a particular account, and signal the organization when behavioral patterns that deviate from what it has defined as normal are detected. [Editor's note: The author's company is one of many that offer anomaly detection capabilities.] Once the organization has this information, it can quickly alert a user to change his or her password before it's too late.
As splintering of streaming platforms creates an even larger market, users will likely be tempted to reuse account passwords for two or more services for ease of access. While this is convenient, what they likely don't realize is that with every recycled password, the probability of becoming a victim of credential stuffing increases.
All businesses must prioritize customer protection by taking on some of the responsibility to prevent these attacks through multipronged authentication and identity management solutions. Although the volume of credential stuffing attacks will exponentially increase as streaming providers and other online services multiply, companies can ensure hackers' success rates do not by putting customers first — without compromising the user experience.