Tools for Breaking Into Disney+ Accounts Have Been Online for Months

Last week Disney launched its much anticipated streaming service Disney+, and hackers wasted no time breaking into Disney+ accounts and then selling them online, ZDNet and the BBC found.

But this should not come as a surprise. Motherboard found that, for months, hackers have been giving away so-called "configs"—files that control special software for breaking into accounts en masse—designed to crack Disney+.

"DISNEY+ CONFIG," one thread on a hacking forum focused on breaking into online accounts reads. The author created the thread and shared the config itself two months ago, according to the forum.

Hackers load a config into a tool such as Sentry, which churns through combinations of email addresses and passwords in the hope that a user has shared one password across multiple services. Configs exist for all sorts of online services that may be attractive to hackers, such as Uber or Netflix. Hackers will typically use the software in conjunction with proxies, which route their traffic through different points before arriving at the Disney+ login portal, so Disney doesn't block the hackers.

Back when the Disney+ config creator published the file, the streaming service was only available in the Netherlands. The entrepreneurship wasn't lost on other users of the hacking forum.

"This is early n great share," one user wrote on a thread advertising the config at the time.

And since the Disney+ launch, hackers have paid more attention to the config.

"my mans this shit is sick af [as fuck]," one forum user responded on the thread on Sunday.

Within that last week other hackers also published their own configs to the same hacking forum.

"Disney takes the privacy and security of ours users' data very seriously and there is no indication of a security breach on Disney+," a Disney spokesperson wrote in an email.

Update: This piece has been updated to include comment from Disney.

Subscribe to our new cybersecurity podcast, CYBER.