Disney’s new subscription service signed up 10 million customers on the first day it launched. Hype fuelled by new original shows such as Star Wars TV spin-off, The Mandalorian, meant customers had eagerly anticipated its launch. But no sooner had some customers logged into the service than they were swiftly logged out again.
On Monday, ZDNet reported that subscribers were complaining about being locked out their accounts – en masse. Potentially thousands of accounts were hacked – with some Disney+ login details being sold online for the princely sum of $3 (£2.30) (reportedly up to $11 (£8.50) – more than the monthly subscription fee of $7 (£5.40)). “Not even been half of a week and my dad’s Disney+ account has ALREADY been hacked. Great security there @disneyplus @Disney. Unbelievable. #DisneyPlus," tweeted one irate user.
But how was this hack pulled off? The method used is known as credential stuffing, and has been used pretty commonly over the last year. Deliveroo users in the UK were targeted earlier this year and saw fraudulent food orders placed against their accounts. Although it can still be referred to as a ‘hack’, it wasn’t Disney’s servers that were compromised – but its customers.
“What hackers do is they have a huge list of previously stolen username and password combinations and they use hacking tools to automatically check those username and password combinations against the target website,” says Andrew Martin, CEO of DynaRisk, a cybersecurity company. “They throw hundreds of millions of account details at them, and they see they see what sticks.”
The username and password combinations are those that have been sifted by prior hacks, through methods such as SQL injection, where an attacker will attempt to exploit weaknesses in a company’s web applications to gain access to user data, or through utilising malware to infiltrate a company and snatch data.
Databases stuffed with this information circulate on the dark web. “There are common places where people exchange data – either on forums or IRC [Internet Relay chat] Channels and so on,” says Jorge Blasco Alis, a lecturer in Information Security at Royal Holloway University of London. “In some cases they are so cheap that there is no need to pay for access.” Attacking forums or sites with poorer security can be the most lucrative way of scoring a data dump that quickly filters down into these databases.
Of course, it would take an inordinate amount of time to manually check username and password combinations against a specific site. Instead, hackers use tools to automatically trawl through vast lists of potentially fruitful combinations. One of these tools is a piece of software called Sentry MBA. “This tool is a sort of base tool,” says Martin. “Then hackers create scripts for each specific site they want to go after.”
“What they do is they log in to the service, and they observe how that login happens – what different information gets passed to the back web application that they're logging into,” Martin says. “They then take a known ‘good’ request, and they turn it into a format which can be used over and over again in this hacking tool.” This lets them hurl stolen logins at the service in an automated way. These configuration scripts (shortened to ‘config’ in hacking circles) are created from scratch by cyber criminals.
Although it may take a day or two to build the config, launching the attack can take mere minutes. A config tailored for Disney+ was first spotted on November 12 by Martin’s team. “Lo and behold, about a week later, they've had some success and they're already sharing some of the stolen accounts,” he says. However, some hacking tools for Disney+ have been online for months, following some of the service's initial trials.
Some configs can even programme changing the password into the script, although this depends on the website. Those that present you with a captacha are intentionally guarding against this possibility. There’s no way of saying whether this was the case with Disney +.
Given the huge databases of leaked credentials sitting in the dark web, a new service going online is an excellent opportunity to try to leverage this information to gain a quick buck. It isn't a surprise that people were looking to break into Disney+ accounts from the first day it went live.
Credential stuffing is likely the method that was leveraged in the Disney+ case. Earlier this year Sky's UK television service was hit by an attack and people were told to update their passwords. And over the last 17 months there have been 12 billion attempts to access gaming websites using the method.
But other possibilities of getting into Disney+ accounts also exist. These include methods such keylogging (malware that records every keystroke made by a computer user to gain password information without their knowledge) or malware designed to siphon off sensitive information. In this case, it was a high volume attack. “Malware could monitor someone's computer for when they log in to the Disney plus service and capture that and upload it back to the back to the hacker. But the credential stuffing approach is, in our opinion, a little more likely,” says Martin.
How likely is it that a hacker accessing an account in this way would be caught? “It depends how well the hacker has covered their tracks and how many intermediaries they put between themselves and the Disney+ service,” Martin says. Hackers can use proxies or compromised hosts to route traffic through in order to disguise its origin. These can be legitimate commercial services that mask internet activity such as VPNs or hacked computers that act as middlemen. The latter is the result of a virus that converts your computer into a node on an illegal internet traffic route. “If your computer is used as a relay point, then your IP address would be the one showing up in the log files of, in this case, the Disney servers,” says Martin.
“Depending on how many of these connection attempts were happening from how many different IP addresses, that information can be provided to law enforcement, and they can work with Internet service providers to see if they can uncover who was behind some of those IP addresses,” he continues.
But are these kind of attacks even worth hackers’ time given they’ll only be granted access until the user contacts the support desk and gets back into their account? Turns out this is only an issue when hackers change the password to these accounts. But they don’t necessarily have to do this.
“Because accounts can be used across several devices, a hacker will sell the account for maybe $1, and it will last as long as the user either changes the password or realises that someone else is using it,” says Blasco Alis. “It is much more stealthy to not change anything.” There have been cases of people with Amazon and Netflix subscriptions suddenly discovering a silent interloper was present on their account.
The easiest way to protect against these kinds of attacks is as simple as using different passwords for different sites. You should use a password manager to create and store strong, unique passwords. You can also check whether your information has been compromised by checking sites such as Have I Been Pwned?.
This article was originally published by WIRED UK
