Disney+ Might Have a Notable Hacker Problem
fortune.comExtra fun tip I'm sort of nervous putting out there just because it's a potential attack vector: if you used the same email address as your existing MyDisneyExperience account, guess what? The password you set while registering for Disney+ is now the password for your MDE account - they were "merged" without notification (that I saw). So not only is your Disney+ account compromised, potentially the account you use to book vacations is as well.
EDIT: I have "merged" in quotes because I am not sure if changing your D+ email changes it for your MDE account as well, or vice-versa.
> I have "merged" in quotes because I am not sure if changing your D+ email changes it for your MDE account as well, or vice-versa.
If the merger of Disney Movie Rewards and Disney accounts, or the merger of Marvel and Disney accounts are any indication to go by, it's likely forever to always be a mess. Disney's goal for "one account system" has just been one wild ride after another. Given how many of their websites still in 2019 redirect to or through *.go.com for reasons unknown, I have to imagine their web tech stack is a fascinating archeology dive under the hood.
Based on the description of the hack, if your Disney+ account was "hacked" then your MDE account details were already on the black market.
TLDR: Disney+ wasn't actually hacked. But many people reused credentials from other sites that were already in account leaks.
With 10m moms and dads signing up, I'm going to guess this is largely due to password reuse from prior hacks. Christmas123.
Bingo. People using the same login on multiple sites.
The sellers get Massive email: password lists which are known combo lists. These are usually from hacked sites that have been SQL injected.
People probably all have giant lists of Netflix, Hulu Etc. accounts and then just recheck them on Disney+
Then they'll use a checker app which just mass checks the sites. I imagine Disney don't have a catchpa setup or requiring it after a large amount of failed logins.
There's no point IP limiting logins as most guys will be using massive botnet proxies services that give you a zillion IP's.
It does seem like a particularly soft target in that regard.
We really need a 2FA solution that's friendly enough for normal people to use. Like, yesterday.
We really need even just a 1FA solution that's friendly enough for normal people to use securely. Passwords clearly aren't secure for normal people, and we should stop pretending like they ever were.
It exists already. Disney could just federate their logins to Google, for example, and all these problems are solved for them for free.
Note that both Google and Facebook have extensive infrastructures in place to detect and block password reuse based account hacking. Knowing the password is not enough to always log in to a Google account. In some cases the login process will ask you questions about your account or ask you to receive a code on your phone to verify authenticity. It's a bit like a heuristically triggered and thus easier form of 2FA.
Disney's problem here is that they have tried to make their own global federated account system but without much expertise in doing so. Tech firms have successfully fought off and blocked these attacks years ago.
Also more likely to be a leak from some account harvester / malware / ... rather than D+ getting hacked.
Shame on D+ for not screening passwords against known hacked u/p.
Yeah, this is my hypothesis. It is just a brute force attack using old email and passwords from previous hacks on other services.
The email change is particularly disturbing. A good security design would be to send the old email a notice of change request and give them a link that can always be used to undo that change (which might require the at the time older password as well).
Most services don't do that. I have had my personal email account DDoSed before and requiring access to that inbox to change my email address would have been impossible for over a month.
Does anyone else still torrent?
I rarely watch a tv show or a movie, but when I do I just torrent it. I've been doing this since Limewire (which was a lot of really shitty porn at the time).
Showed my boys Princess Mononoke the other day - will show them the Mandalorian tonight, a buddy told me its pretty good
Does anyone still shoplift? /s
Yes, people still steal. Torrenting is usually more convenient, but for media that actually cost a ton of money to produce, I still feel iffy about stealing it. I would never recommend it to anyone when buying and paying for media is still an option.
Even if something like Ghibli movies might not conveniently be available for on-demand streaming, I still think everyone is under the moral obligation to plan ahead and buy it on a more traditional format rather than to resort to piracy. It is your own short-sightedness if you can't anticipate the need beforehand and order it in time.
If for some reason media can't be bought new anymore and your money isn't good anywhere, then by all means pirate it. I consider that it has at that point entered a public domain of sorts.
Piracy isn't stealing. Many people have been over this. You've been brainwashed if you think it's stealing.
It's still against the law in many places, but to call it stealing is just spreading misinformation and propaganda.
I think "stealing" is the semantically/technically incorrect term that's used as a sort of justification for not compensating the creator of a work, who paid to create that work, even though that work is considered valuable to the person using/watching it.
Hmm - is there a good summary of this argument I could read? I torrented many years ago and it always felt like stealing and still does. Seems more or less equivalent to shoplifting to me from a moral standpoint, would be curious to read into this!
(I'm assuming this is not the "oh I actually pay and I just want to watch it on an unsupported device" argument)
If I shoplift a bag of Doritos, the shop has one fewer bag of Doritos.
If I pirate a show, it doesn't disappear from Disney's hard drives.
People use "steal" like that all the time. "You stole my idea." "He stole my look!" "She stole my song." Etc... So I don't really think that's a very good argument.
What's a good word for "obtaining digital content without paying for the right to possess said digital content"?
The shop doesn't care about the Doritos. The owner isn't going to eat them. The shops only care about getting paid by who takes the Doritos.
Any particular reason that you're interchanging two words that are not interchangeable?
stealing, torrenting or piracy?
I think many people, even if they pay for the services, still torrent. It’s so much more convenient to have everything in Plex where it plays across all devices rather than chase down which app/device combo has the content you’re looking for.
Sorry - forgot to mention I pay for subs like hbo, netflix, all that. If i ever see a movie in a theater, i torrent it later.
I've torrented all of game of thrones, yet, always pay my monthly for the service
Plex has 20 million users to Netflix 150million despite Netflix's far higher price. The public says Netflix is far more convenient.
It’s a different audience.
Despite UX improvements to Plex, and running a Plex server, it is still a fairly technical endeavor. However, that doesn’t mean the millions more of people who have Netflix, but not Plex, do not dream of a day where simply all video media is in one place.
Almost anyone I introduce to Plex is simply mesmerized and the growing community of shared Plex servers shows that it is taking off. The continued fragmentation of all of these exclusive streaming services is just going to drive more and more people back to DIY solutions.
I'm sure some people do. I prefer to pay for things though.
It’s not a matter of paying for stuff, at least not in Europe. I have 3 different streaming subscriptions (still cheaper than 8 channels of flow tv with its 50% commercials), and I absolutely hate watching a tv show, only to find out the European version of the streaming service doesn’t have the last 4 seasons yet, despite the show being over and the finale having “aired” in the US.
In cases like that I turn to torrents and download whatever seasons I’m missing, watch them and delete them again. I still keep my streaming subscriptions though.
It has gotten better, and the problem is mostly confined to cross studio/service shows, or services not available in Europe.
HBO Nordic hasn’t even announced an air date for Mr. Robot season 4 yet, which I guess is great as I can only dodge spoilers for so long, so when it eventually hits I’ll know the ending.
Even if the show was available on a European streaming service, I’d probably stream it anyway. There’s a limit to how many streaming services I care to have, and torrenting is so much easier than trying to navigate the dark patterns most streaming services put around their unsubscribe pages.
I’m also too lazy to subscribe/unsubscribe multiple times per year to multiple services.
Perhaps a “pay per view” model that bills you X per show watched, up to a maximum equal to the monthly subscription fee. That way I could have multiple subscriptions and only pay subscription fees to the services I actually use, and once I stopped watching them I’d automatically be unsubscribed.
Of course that will never happen while there are a million services.
Or usenet? Far superior to torrents IMO.