Consumers and critics alike have long clamored for the Disney+ streaming service, however, its recent launch has once again exposed the risks with password reuse. Even a mega-brand like Disney has password risks.
An investigation found that less than 48 hours after launch, thousands of exposed Disney+ passwords and accounts were already for sale. It appears the site was targeted by a credential stuffing attack. In other words, cybercriminals took exposed username and password pairs from a previous data breach and then automated the process of trying these compromised credentials to gain access to consumers’ Disney+ accounts, this is known as account takeover.
The reason credential stuffing attacks are successful is that many users continue to reuse passwords across multiple accounts. Recent research from Google found that a staggering 52 percent of people use the same password for multiple accounts, and even worse, 13 percent use the same combination for every account! The sheer scale of a site like Disney+ increases the probability that credential stuffing attacks will be successful.
Expecting human behavior to change quickly is not a good solution as customers and users are just too lax about passwords and protecting their own accounts. Therefore, companies must anticipate that password reuse will continue due to its convenience and add in steps to reduce the risk.
One simple way is to have a pop-up box reminding users at account setup about the importance of selecting a strong, unique password. Companies could also add a link to a free password check tool that allows the user to check if the password has already been exposed.
To reduce the risk from automated attacks, organizations should make good password hygiene a priority and implement a multi-layered approach. There is no panacea to the problem, but by applying a layered approach, the risk of credential stuffing attacks is reduced.
With these credential screening measures, organizations can easily avoid the negative media coverage and more importantly, customer’s would know if their accounts are at risk for account takeover. This would be helpful for Disney’s recent password issue.
In the digital age, hackers covet consumer credentials with the same fervor Darth Vader displayed in trying to turn Luke to the Dark Side. And while it’s impossible for any company to entirely prevent against credential stuffing or other forms of attack, eliminating password reuse goes along way in strengthening the Rebel–that is, consumer–Alliance. May the force be with Disney+.