You might want to reconsider sharing the login details of your steaming service account with friends and family to avoid the risk of falling victim to fraud or identity theft at the hands of tech savvy organised crime groups.
The warning comes as thousands of Disney Plus customers reported hackers were accessing their profiles, changing their login credentials and selling their accounts on the dark web.
Disney was adamant it did not suffer a data breach, saying the login details were “leaked from previous breaches at other companies, pre-dating the launch of (the streaming service)”.
The so-called “credential stuffing” attack is a popular technique used by hackers who obtain passwords and usernames via malicious means before seeing if those details will gain access to accounts on different websites.
This is achieved by applying through perseverance – trying various combinations of usernames and passwords until access is granted.
Cyber security expert from F5 Networks Jason Baden said it was a “very bad idea” to share passwords or to use similar login credentials across different services.
“When credentials are compromised on one system, there is a very good likelihood that these same credential pairs, or similar variations, will work across other systems,” he told nine.com.au.
“People tend to reuse passwords for convenience – imagine trying to remember unique passwords for all the different applications we use in our daily lives.
“However, attackers understand this and seek to abuse this human failing.”
Mr Baden said cyber criminals use advanced automation software to gain access to numerous accounts.
“Hackers routinely use large data sets of compromised credential – often bought on the dark web or through traditional organised crime networks – combined with automation to test these compromised credentials across other services on mass scale,” he said.
“There are also specialist groups inside organised crime gangs that take bulk raw data from breaches and refine that data to create smaller, more valuable, data for resale to other groups or gangs.
“In the case of password breach data, these specialists will test the credentials to determine if they are still valid and what other sites they might be effective for – this is a much more valuable set of data which commands a better price on dark markets.”
Mr Baden said the best way to protect yourself was to make sure passwords are different from service to service.
“It is a good practice to use long and complex passwords; passwords with lower case, upper case, numerals and special characters,” he said.
“While it is not possible to remember many, if any, complex passwords, the use of password generators and safes allow for the automatic creation of randomised complex passwords that can be securely saved in the vault for reference as required.”
“A good general recommendation for keeping accounts secure is to also utilise Multi-Factor Authentication wherever available.”
The cyber security expert also warned people to be careful what information they share on social media, as cyber sleuths could use this to guess the answers to your security questions on accounts.
“It is also a good idea to ensure that where you have, that question and answer pairs are actually hard to discover or guess and aren’t publicly available information,” he said.
“Think about the material you post on social media. Is it actually hard for an attacker to discover what your Mother’s Maiden name is? Where you graduated from high school or the name of your favourite pet?”
Nine, the publisher of this website, is the owner of streaming service Stan.