Directive Blogs
Disney+ Hacked Within Days of Launching. Here’s What SMBs Can Learn From This
Disney+, Disney’s new Netflix-like streaming service launched with a lot of fanfare on November 12th. The service promises to offer Disney’s massive library of shows and movies, including content from all of the franchises the company has been buying up over the last decade. Unfortunately, many thousands of subscribers have come to find their credentials stolen, and the House of Mouse isn’t exactly giving anyone a clear answer.
This leads to the question, how would your business handle a data breach?
What Happened?
Within hours of the service launching, hackers started stealing account information from Disney+ subscribers. Like most online services, the first few days were riddled with technical issues - lots of users had trouble signing in or accessing content. A smaller percentage of users were reporting that they were getting kicked out of their accounts and having their email and passwords changed. Come to find out, hackers were hijacking the accounts and selling them on the dark web.
Some of these users prepaid for multiple years of the service, so for many, it was a pretty frustrating situation to get stuck in. Worst of all, Disney wasn’t very vocal about any of this during the crucial first week.
Lesson #1: Managing Expectations
Disney+ fell into the same trap many small-to-medium sized businesses often do… over-promising, under-delivering, and not doing any damage control. With over 10 million customers in its first 24 hours of availability, Disney+ was poised to make history. While this is all great, thousands of customers are very burnt and this can cause a pretty significant ding in a company’s reputation.
To be fair, Disney has the girth and the deep pockets to survive this, and the new streaming service will likely survive this fiasco despite the pain it has caused a small percentage of customers. Upstate New York businesses like yours and mine don’t necessarily have that luxury. We can’t make the same mistakes Disney+ did, and ignore the damage control and still come out on top.
Whether a business is a massive global enterprise like Disney, or a small family-owned operation like many of the ones in Oneonta, managing expectations is critical.
Lesson #2: Communication Is Key
Thousands of subscribers are reaching out to Disney+ for solutions when they find they are unable to log into their accounts. The overwhelming feeling is that Disney+ isn’t being responsive, or worse, don’t know what they are doing. They don’t have enough customer support personnel on phones, chats, email, or social media to respond quickly. This gives subscribers the feeling that Disney doesn’t care about their issues and that’s a sure-fire way to lose customers; even if the situation isn’t due to anything Disney+ did.
Social media is one of the best communication tools available today. It allows communication between customers and businesses, enabling a business to do the one thing which is critical in an emergency; manage expectations.
If your business is experiencing a major problem that is disrupting a large number of customers, it is best to take the high road and own up to it and make your entire customer base feel like you are treating it as a priority.
Lesson #3: The Importance of Password Security
Connection issues aside, the big issue that a small percentage of Disney+ customers are dealing with is hacked accounts. As we write this, there are ads for Disney+ accounts on the dark web, waiting to be sold for around $3.00 or less.
However despite early headlines shouting that Disney+’s security was insufficient, the reality is this breach is not the fault of Disney+, but of its subscribers. These subscribers didn’t use best practices in regard to securing their passwords.
So how did this happen? Unfortunately people tend to use the same passwords for multiple services, exposing themselves to a cascade effect of exposure once one account is compromised. Passwords stolen in previous data breaches are frequently used to access the victim's accounts months after the initial breach. Hackers rely on the fact that many people use the same passwords. It’s likely that the accounts weren’t stolen from Disney itself, and were from some other service.
How Could Disney+ Prevent This?
Unfortunately, it’s not really feasible to enforce unique passwords from your entire customer base, but it should always be encouraged. The real problem is the lack of additional security for a person’s account. Disney+ doesn’t offer 2-factor authentication at this time. The service also makes it difficult to remove unwanted devices that have connected due to a breached password.
In the grand scheme of things, the outlying problem wasn’t Disney’s fault, but they also didn’t really offer a lot to consumers to help pre-emptively protect their accounts. Of course, it can be assumed if a user is going to use the same password across multiple services online, they probably aren’t setting up optional 2-factor authentication either.
It’s Time To Adopt Password Best Practices
Best practices aren’t always easy to implement and as a smaller business, you may feel you don’t have the financial resources or experience to enact them, or worse - as an SMB - you think you’re not at risk; unfortunately, that’s not true.
For every enterprise-level business like Disney that’s attacked, there are hundreds of smaller businesses like yours being targeted because hackers know your security has holes that can be compromised. Enacting best practices is the first step to reduce the gaps in your security and keep your data safe.
Best Practices for Password Management
It’s not too late to enact a password management policy in your business and personal environment.
- Unsure of the security of your passwords? Google provides a turnkey password checkup tool that lets you know if your passwords were part of a data breach. It also checks if you have reused passwords or if your passwords aren’t strong enough. Have I been Pwned and LastPass offer similar services.
- Take a moment to look over our Do's and Don’ts of Managing Your Passwords for a brief primer on password best practices.
- Use two-factor authentication. Simply put two-factor authentication (2FA), is an additional verification step which emails or texts you a one-time use PIN code needed to log into your account. Sadly, only 28% of users utilize 2FA.
Let’s Help You Prepare for Issues and Prevent Them Whenever Possible
Directive offers a wealth of services to help you manage your technology. Our Ultimate Social Media Rig is designed to give you the expertise and confidence to communicate with your customers, reinforcing your ability to provide the services they are expecting. Most importantly, with social media you can manage expectations and control the message your clients are receiving about the issue.
Concerned about your infrastructure and ability to effectively provide your customers with the services they expect? In addition to the social media rig, Directive offers proactive, managed services covering end-to-end IT solutions. With Directive as your partner, you will be able to focus on your business, your clients, and your bottom line, while we handle your technology from start to finish. Call today at 607.433.2200 for more information or to schedule a consultation.