Two major companies were hit by cybercrime this week: Macy’s suffered a data breach, exposing customer credit cards, and Disney+ customers were victims of “credential stuffing,” a technique attackers use to steal passwords to gain access to accounts.
Disney denied that a breach had occurred. However, John Shier, senior security advisor at Sophos, pointed out that DIsney itself didn’t need to be hacked for customers to have their accounts accessed by criminals, as the company had not set up adequate safeguards.
“Many Disney+ users are reporting that they have been locked out of their accounts,” he said. “Disney+ has responded by saying they have no evidence of a breach. Our experience suggests that this is likely the result of a credential stuffing attack, a phishing campaign against Disney+ users or the result of credential stealing malware on users’ devices.
“Credential stuffing is when cybercriminals use leaked credentials from one website – which could already be for sale on the dark web – and try those same credentials on other online services. This breach is a prime example of the importance of having unique passwords across all of your online services. As we’ve seen time and time again, cybercriminals are just as lazy as the rest of us. If they can get away with using a person’s previously compromised passwords across different services, that will be their default.”
Shier said excitement had been building for Disney+ and, while it’s in limited release, people will seek out alternative means to use the platform, even if that includes using someone else’s password.
“It also means that cybercriminals would likely take this opportunity to send out Disney+ phishing campaigns to net as many victims as possible and cash in on the hype. Opportunistic cybercriminals deploying credential stealing malware may be identifying Disney+ accounts in their collected data and offering them for sale separately because of the buzz associated with this new platform.
“Unfortunately, the Disney+ platform does not appear to offer any kind of multi-factor authentication which would thwart these kinds of attacks against online services.”
He said that, whatever the root cause, users of online services should incorporate these everyday cybersecurity practices into their online behaviour:
- Don’t reuse passwords, as old breaches can come back to haunt you when cybercriminals use passwords from past breaches
- Provide as little personally identifiable information online as possible
- All services, such as Disney+, should offer multi-factor authentication to ensure that passwords are protected and not the only means of defense
“Macy’s is a very different example of a breach, but it has similarly failed to properly respond to being compromised and it hasn’t held itself fully accountable. The breach may have only affected a small number of customers, but that’s a cold comfort for the customers whose identity details were compromised.”