Disney has said that previous breaches at other companies are responsible for a number of hacked Disney+ accounts.
Hours after the service launched on November 12th, thousands of Disney+ accounts were being sold on the dark web for as little as $3 USD (approximately $4 CAD). A subscription to Disney+ costs $8.99 CAD per month.
“Billions of usernames and passwords leaked from previous breaches at other companies, pre-dating the launch of Disney+, are being sold on the web,” the company said in a statement issued to MobileSyrup regarding users recycling passwords.
Since users often reuse passwords for several different services, a breach of one account allows hackers to gain access to others. Hackers are able to lift a password from a site that was previously hacked.
The stolen accounts on the dark web displayed the type of subscription the user signed up for and when the account expires.
The company says that only a small percentage of people were in this situation. Disney also reiterated that it has not found any evidence of a security breach.
“We continuously audit our security systems and when we find an attempted suspicious login we proactively lock the associated user account and direct the user to select a new password,” the company said.
Disney is encouraging users who have been impacted to reach out to its customer support department.