Cyber Incident Victim: The Walt Disney Company

The Disney+ streaming service launched on November 12, 2019, in the US, Canada, and the Netherlands, attracting over 10 million subscribers within its first 24 hours. Technical issues disrupted service access for many users during the launch period. Concurrently, a separate wave of account compromises emerged, with users reporting unauthorized access within hours of the platform's debut. Attackers systematically hijacked accounts by logging out legitimate users, changing associated email addresses and passwords, and locking original owners out of their subscriptions. Social media platforms like Twitter and Reddit became hubs for user complaints about these takeovers, with some victims confirming password reuse across multiple services while others insisted they had employed unique Disney+ credentials. Evidence suggested attackers leveraged both credential stuffing (using email/password combinations from prior breaches) and malware-based theft (such as keyloggers or info-stealers) to obtain login details.

By November 16, 2019, thousands of compromised Disney+ accounts appeared for sale on hacking forums, priced between $3 and $11 per account—exceeding the legitimate $7 monthly subscription cost. Some hackers distributed credentials freely in bulk lists, exploiting Disney+'s allowance of account sharing. ZDNet investigators verified active account access by contacting users whose cleartext credentials appeared in these lists, confirming the breaches. The incident mirrored long-standing challenges faced by streaming platforms like Netflix, Hulu, and Amazon Prime, where stolen accounts routinely circulate on underground markets due to sustained buyer demand. Disney did not publicly disclose mitigation measures during the initial incident timeframe, though user reports highlighted the immediate operational impact of account lockouts and service disruptions alongside the broader compromise wave.