Disney Plus blames past hacks for user accounts sold online

FILE - In this Wednesday, Nov. 13, 2019 file photo, a Disney logo forms part of a menu for the Disney Plus movie and entertainment streaming service on a computer screen in Walpole, Mass. Disney Plus says it doesnt have a security breach, but some users of the new streaming service have been shut out after hackers tried to break into their accounts.  (AP Photo/Steven Senne, File)
FILE - In this Wednesday, Nov. 13, 2019 file photo, a Disney logo forms part of a menu for the Disney Plus movie and entertainment streaming service on a computer screen in Walpole, Mass. Disney Plus says it doesnt have a security breach, but some users of the new streaming service have been shut out after hackers tried to break into their accounts. (AP Photo/Steven Senne, File) (Copyright 2019 The Associated Press. All rights reserved)

Disney said Disney Plus account passwords being sold in underground hacking forums are coming from previous breaches at other companies, predating last week’s launch of its streaming service.

The company reiterated Wednesday that it found no evidence of a security breach and that account problems are limited to “a very small percentage of users” of Disney Plus.

Disney and other traditional media companies are trying to capture the subscription revenue now going to Netflix and other streaming giants. Helped by promotions, including a free year for some Verizon customers, Disney Plus attracted 10 million subscribers on its first day.

The news site ZDNet found stolen account usernames and passwords selling for $3 on underground hacking forums. Disney’s streaming service costs $7 a month or $70 a year.

Despite warnings by security experts, users often reuse passwords at multiple services, meaning a breach at one opens the door for a hacker to gain access to the others.

Users can easily avoid this by using strong passwords that are unique for each service, said Troy Hunt, an Australian security researcher whose "Have I Been Pwned?" website alerts people when their identity information is stolen.

But Hunt said Disney should implement better security measures.

“The Disney situation appears to be yet another credential stuffing attack where hackers exploit a combination of customers reusing passwords and the service provider not providing sufficient defenses to stop it,” Hunt said in an email.