Tuesday November 12. With the boom of streaming platforms in full swing, the whole world was waiting for the arrival of one of the most eagerly anticipated: Disney Plus, which was gearing up for a high-profile launch. However, just hours after it was launched, the problems started: several users claimed that their passwords had been stolen, meaning they had lost access to their accounts. Their accounts contained information such as email addresses, bank details, credit cards… And all this information was stolen before the users could watch a single minute of video.

Users’ messages were all similar: “They’ve changed my email address and password, and blocked my account.” “Disney Plus has been active for 10 hours and it’s already been hacked.” The scope of the incident is noteworthy: on its first day in action, the platform already had 10 million users, all of whom had their security threatened.

How did these accounts get stolen? According to what ZDNet has been able to find out, the cybercriminals had already started to sell the accounts on the deep web for around three dollars. Each user had signed up to pay seven dollars a month, so, getting an account for three dollars is a chance that many are likely to leap at. What’s more, it carries with it serious negative consequences for Disney: firstly, the loss of up to $70 million; and secondly, the reputational damage to such a large company after suffering a cyberattack just hours after a launch.

What happened?_

Ever since the incident, there have been several versions of what happened. Disney Plus affirms that it didn’t suffer a data breach, and that its platform hasn’t been hit by a cyberattack. After these declarations, another possibility began to take form: that the victims had been affected by a previous cyberattack, and had then signed up for Disney Plus with the same email address and password combination.

However, this version of events wasn’t satisfactory for everyone; when ZDNet reported the data breach, thousands of users had already been affected by the theft, so the possibility that the platform had been hit by someone using a vulnerability to illicitly access these accounts was never ruled out.

The consequences of a data breach_

Whatever happened, the fact remains that Disney Plus, like any other company whose customers’ credentials and private information are exposed, may experience some negative consequences:

1.- Economic losses. An incident of this kind can have a serious economic impact. The company affected may see a reduction in revenue due to the theft of accounts, along with a reduction in the amount of new users signing up for an account. It is also important to fix the vulnerability in the IT system, and reinforce cybersecurity protections, which will also have an economic impact.

2.- Sanctions. A company’s funds can also be hit if the company breaches regulations such as the GDPR. In cases of serious non-compliance, fines can be up to €20 million, or 4% of a company’s annual global turnover—whichever figure is higher.

3.- Reputational damage Suffering a vulnerability a few hours after launching a new platform is clearly not a great advertising campaign. Whether or not it was Disney’s fault, the fact remains that this incident may damage its image, especially if we bear in mind the fact that their target audience is families and kids.

Automated analysis to avoid breaches_

Any company could be exposed to a vulnerability like this one. This is why it is essential that they protect their endpoints while, at the same time, proactively monitoring and analyzing system activity to detect suspicious behavior in machines, users and processes.

All of the above is why Threat Hunting is still such a vital technique, and one of the most effective ways to deal with the current threat landscape. It acts proactively and iteratively to locate new threats, design responses to them, and stop them from getting around the organization’s security measures. Our solution Cytomic Orion offers exploration and hunting tools on the whole, enriched set of events from the last 365 days. Among the exploration tools there is a set of predefined queries that retrospectively discover TTPs, thanks to which, in cases like this, the organization can figure out how the attackers got onto its system, and the movements they made before they were discovered.

Once more, this kind of incident highlights the fact that cybersecurity has become one of the leading risks for companies in every sector. As a result, it is more important than ever that companies have the most advanced solutions and services to be prepared to deal with a possible attack from the moment it starts to the moment any consequences are seen, in order to minimize their effects.