There has been a lot of inaccurate information about Disney+ accounts getting hacked. Some of it was early reporting (before Disney had responded and before much was known about what was happening) and some of it is just lazy reporting. It is pretty clear now, though, that there was no security breach at Disney. So, while there have been a lot of cases reported where Disney+ accounts have been hijacked, it is (mostly) not the fault of Disney. They have been the user’s fault.
What has really been happening is that Disney+ subscribers have been reusing credentials that were hacked somewhere else. So, if you are using the same credentials for Disney+ that you used for example on LinkedIn, or your old MySpace account, or MyFitnessPal, you are vulnerable to credential stuffing. Basically, hacker use lists of compromised credentials to try to gain access to other services.
To put it simply: do not reuse credentials. Every login you have should have a unique password, that you aren’t using anywhere else. That way, if Disney+ ever actually does get hacked, your login to your bank isn’t vulnerable.
It is pretty easy to check whether there have been any data breaches reported for either your email address, or for a password you are using. Have I Been Pwnd provides a service for this, and even provides it for Web sites to use to prevent users from using compromised passwords. You can sign up, there, too, and be notified if any new breaches are associated with your email address.
While credential stuffing is pretty difficult for an online service provider to counter, there is one thing they could do: require two-factor authentication (2FA). That way, even if your credentials become compromised, a hacker cannot gain access to your account without being able to guess a one-time code. That is pretty unlikely. Whether Disney has the appetite to do that, though, remains to be seen. The streaming services have all tolerated credential sharing among friends and family, and implementing 2FA makes it much more difficult to do that. That said, once you’ve shared your credentials with anyone, they are no longer secret. They are only as safe as the person’s computer, email, etc. that you’ve shared them with.
