Tools For Breaking into Disney+ Accounts Have Been Online for Months
Credit to Author: Joseph Cox| Date: Mon, 18 Nov 2019 20:22:27 +0000
Last week Disney launched its much anticipated streaming service Disney+, and hackers wasted no time breaking into Disney+ accounts and then selling them online, ZDNet and the BBC found.
But this should not come as a surprise. Motherboard found that, for months, hackers have been giving away so-called "configs"—files that control special software for breaking into accounts en masse—designed to crack Disney+.
"DISNEY+ CONFIG," one thread on a hacking forum focused on breaking into online accounts reads. The author created the thread and shared the config itself two months ago, according to the forum.
Hackers load a config into a tool such as Sentry, which churns through combinations of email addresses and passwords in the hope that a user has shared one password across multiple services. Configs exist for all sorts of online services that may be attractive to hackers, such as Uber or Netflix. Hackers will typically use the software in conjunction with proxies, which route their traffic through different points before arriving at the Disney+ login portal, so Disney doesn't block the hackers.
Do you work for Disney+? We’d love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.
Back when the Disney+ config creator published the file, the streaming service was only available in the Netherlands. The entrepreneurship wasn't lost on other users of the hacking forum.
"This is early n great share," one user wrote on a thread advertising the config at the time.
And since the Disney+ launch, hackers have paid more attention to the config.
"my mans this shit is sick af [as fuck]," one forum user responded on the thread on Sunday.
Within that last week other hackers also published their own configs to the same hacking forum.
Disney did not immediately respond to a request for comment.
Subscribe to our new cybersecurity podcast, CYBER.
This article originally appeared on VICE US.