The long wait is over.

迪士尼+,新的视频流服务与竞争对手Netflix和亚马逊素数,上周首次亮相粉丝,机架起来1000万用户在一天的发布会内。不幸的是,这不是大多数用户预测的用户,因为他们遇到了connection and performance issues出门 - 很快就会被黑客账户被盗和销售的报道暗网

迪士尼+问题趋势线,中断热图,以及大多数报道的问题,根据Downdetector。
A snapshot of some of the hitches users are encountering (Courtesy of Downdetector Australia)

Disney+, on the other hand,didn’t expect to be overwhelmed with technical complications due to exceedingly high consumer demand。他们也不承认suffering a data breach,尽管被冻出t的用户投诉heir accounts or seeing their credentials changed without approval.

Things continue to unfold as we speak, but here’s what we currently know about the Disney+ security issues.

迪士尼+在黑暗的web中的用户凭据

For as low as US$3, interested buyers lurking on the dark web can acquire a trove of stolen Disney+ accounts, which popped up in several underground markets mere hours after launch last week. According toan investigation由ZDNET的Catalin Cimpanu进行,“黑客论坛已被迪士尼+账户淹没,广告提供了数以千计的帐户凭据。”他们还看到了被攻击的账户被提供免费使用和分享。

The pitch to free Disney+ accounts (Courtesy of ZDNet)

The BBC, with the help of an unnamed cybersecurity researcher, further confirmedthe sale of thousands of Disney+ accounts

No smoking gun…yet

As of presstime, Disney denies that there was a data breach of its streaming platform, and no one has pointed to a root cause on how Disney+ accounts were hacked. However, there are smart speculations.

具有黑客帐户的用户可能已使用回收凭据。如果它是真的,这不会是一个惊喜。根据谷歌调查,two in three Internet users reuse their passwords—some for multiple accounts, some for all of them.

来自多个数据泄露的泄漏凭证,黑客可能使用credential stuffing- 自动输入受损的用户名密码组合到目标帐户表单,在这种情况下是来自迪士尼+。这是在假设用户在该服务中输入了确切组合的假设。

迪士尼+还允许密码共享,但其用户界面不包括从帐户访问中轻松记录其他人的选项。此外,它不需要two-factor authentication, a security measure that could have prevented recycled credentials from being an issue.

Read:Are hackers gonna hack anymore? Not if we keep reusing passwords

Hackers may have guessed user passwords correctly.另一个方法黑客可以使用密码猜测。看起来很傻,但这也是如此,因为许多用户在制作强密码并选择易于记住的用户时仍然如此糟糕。12345,” “password,” and “qwerty.” Add in the difficulty of entering complex passwords via TV remote, and that makes this scenario even more plausible.

但是,ZDNET指出,即使使用唯一密码的消费者也声称他们的帐户被盗。在这种情况下,有可能......

Disney+ really was hacked or their user database leaked online.并非所有公司都立即被攻击,特别是如果他们正在调查罪魁祸首/根本原因的中间。此外,迪士尼有一个记录的剪切历史on investing in technology infrastructure. It’s possible their databases were not properly secured and credentials actually leaked online, allowing threat actors to simply grab the information they needed without having to breach at all.

Users may actually have malware on their systems.考虑到我们喜欢的黑色,这不是一个很长的镜头spyware和野生钥匙杆子。这么多房子通过流式服务和其他房屋连接互联网连接IOT设备,如家庭助理,恒温器,门铃,安全性和锁定系统。这些网络设备众所周知易受攻击。

Users may have been phished.虽然没有积极的报道网络钓鱼活动against Disney+ users, we have seen a well-timed, professionally put-together phishing email fool even the cleverest of Internet users.

迪士尼+帐户锁定是一种安全预防措施

There are user complaints on social media wherein they claim to have been locked out of the Disney+ service. While this may suggest that hackers have successfully changed linked emails and passwords to affected accounts, it could also suggest thata security precaution迪士尼已经解决了工作:当他们的系统在登录过程中看到一个帐户的可疑活动时,它会锁定该帐户。

当然,在迪斯尼客户服务确认this to be true for affected users, we can only assume that finding yourself locked out is the streaming service’s way of protecting your account from getting compromised. Unfortunately, Disney made the mistake of linking its new streaming service with the rest of its platforms, freezing some users out of their other Disney services as well.

At the end of the day, there’s good news

There is big room for improvement, for both the users and Disney+.

用户应该将此事件提醒良好密码卫生的重要性,例如创建独特和复杂的凭据,从未重用它们。机会是,在线罪犯已经在他们的藏匿处拥有一些旧密码,为什么继续使用它们?

注意别人已经建议的别人start using a password manager。那里有很多选择,所以花点时间,并确保你选择你认为的那个。因为迪士尼+没有另一层账户保护,如two-factor authentication (2FA), it is more crucial than ever to use a randomly generated, long password that you don’t have to memorize.

Speaking of passwords, it’s also good practice to avoid sharing them with anyone, including friends and family members. Yes, Disney tolerates the practice of password sharing, but for security’s sake, it’s best not to. At the very least, consider introducing a little bit of friction in keeping your accounts secure. And this is true not just for Disney+ account holders.

迪士尼+也没有缺乏巨大建议,以提高其安全性。除了实现和授权使用2FA(特别是对于链接WALT迪斯尼账户),还应提供一个功能,其中用户可以查看连接到他们的迪斯尼+帐户的其他设备。还有一些人suggestthat, since Disney also owns Hulu, Disney+ should have a feature that allows account holders to log everyone out in the event of a hack.

迪士尼+是滚动in European countries and the UK in March 2020. Hopefully by that time, both users and Disney will have done more to ensure their accounts are secured, beefier protections are enabled, and performance issues are ironed out.