
Disney+ fans without answers after thousands hacked - sunils34
https://www.bbc.com/news/technology-50461171
======
whoisjuan
Well. There’s a reason why Netflix is successful. They spent a lot of money
and time operating as a tech-heavy company before becoming a content-heavy
company. Just as an example, their Open Connect appliances
([https://openconnect.netflix.com/en/](https://openconnect.netflix.com/en/))
are an impressive piece of technology that probably needed years of research.

Launching a streaming service sounds simple in the paper but there are
hundreds of complexities under the hood that ensure availability, speed,
security, and reliability.

If my Netflix experience wasn't as trivially smooth as it is (from a UX point
of view) I wouldn’t pay for it.

~~~
paulddraper
I thought I'd try out Disney+.

Then I found out it doesn't support Vizio Smartcast/Chromecast.

That's...bizarre. I guess I'll watch on my little laptop screen.

Turns out it doesn't support Linux either.

:/

EDIT: I eventually downloaded a Windows VM and watched it there. What could
they possibly be gaining from that though??

~~~
xnyan
I love linux, I use it every day more than any other OS. I don't understand
why other linux users act surprised that corporate America frequently ignores
altogether or uses DRM methods that are not compatible, I don't think its
right, i i don't think its good, but its not new or unusual or surprising.

The reality is that linix makes up 2-4 percent of the desktop PC market which
itself is fraction of mobile use and even then, most linux users have the
capability to watch it on something else. More of their customers are on
windows XP than all linux desktop distros combined. I don't think they
consider it anything close to financially worth it and I don't know if I
disagree, even if I wish it was otherwise.

~~~
chii
Which is why the web is the best platform to support. I don't get why
companies offering a service that can easily be web-delivered don't do it as
their primary mode of business.

~~~
josteink
> Which is why the web is the best platform to support.

But then they “support” it with platform-specific WebDRM which doesn’t work on
Linux it in truly free/open browsers.

Nothing gained.

~~~
aries1980
DRM doesn't seem to stop warez. Things that can be decoded, can be shared.

All they gain with DRM is to put off potential customers. For many of us, the
best way would be a downloadable file format, that I can copy or watch
whatever player or device I want to use.

------
joshmn
Laughing at some of this reporting.

> More than 4,000 customer accounts appeared in the search

To clear this up:

No, not true. The software in the screenshot called Open Bullet and it's
basically a request builder for Selenium (ok it's more than that but you get
the idea). You add in lists of usernames/passwords (from database dumps) and
it runs your script. You have success/fail reporting, and that's where you get
"Hits: 4"

> Ads on the dark web for stolen Disney+ accounts

That's a sellers page from shoppy.gg — not the dark web.

~~~
rvz
While you are correct, the BBC are 'really trying' their best to explain this
disaster to the average John and Jane. But again they are still in the middle-
ages when it comes to mentioning the technical side of these 'attacks'.

Says pretty much a lot about them when it comes to technology in general.

~~~
joshmn
I understand that. I wish that they would at least correct the first photo of
the combos. Saying that there are 4000 accounts when there are 4 is
misleading. "A hacker checking the logins of 4,000 potential accounts" is
better and more accurate subtext.

------
TallGuyShort
They can still torrent the content, which is what I'm doing after I paid for
the first month of Disney+ and then found out their DRM disallowed Linux
because of "security levels".

~~~
markovbot
You issued a charge back with your credit card company for that, right?

~~~
pcr0
You'll probably never be allowed to sign up for D+ again. I'd only use charge
backs as a final resort if I can't contact the company and/or I never want to
do business with them in my life.

~~~
gsich
Just use a different payment system next time.

~~~
WrtCdEvrydy
Nah, just cancel quietly.

------
hsailor
I am sure Netflix and amazon prime users also reuse their passwords, but I
haven’t yet heard about users having the Disney+ issues with these accounts.

~~~
mcintyre1994
No idea about Netflix, but for Amazon I bet there’s less account sharing than
the other two - because it’s your actual Amazon account. My Netflix account is
the only one that doesn’t have a very complex password manager password,
because I share it with family. I won’t share my amazon account because I
won’t give it that sort of password. I guess Disney+ is much closer to Netflix
on that scale.

~~~
mikey_p
Netflix definitely has trouble with this because they too lack the whole
"delete all sessions" capability, so it's next to impossible to recover an
account that has been compromised. My partner went through this, and Netflix
support told her to delete the account and make a new one (losing all our
recommendations in the process). Why they can't be bothered to add a "log out
all users" feature the way something like Github or even Plex offers is beyond
me.

~~~
J5892
Netflix does have that feature:

[https://www.netflix.com/ManageDevices](https://www.netflix.com/ManageDevices)

~~~
MattSteelblade
Confirmed. I've used it

------
rvz
[http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-
fo...](http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-
sessions/)

~~~
NiceGuy_Ty
All of the pros of JWTs _do_ apply to Disney+

------
devmunchies
yikes. It doesn't support the security feature of logging everyone out of the
account? So if a someone gets access to your account they're in for good.

~~~
silviogutierrez
Sounds like JSON web tokens! Should have stuck to sessions if that's the case.

Admittedly, the performance benefits of jwt are probably warranted here. But
still, you either end up building an in-memory blacklist or a DB table thus
negating most benefits.

~~~
echelon
It's not that hard to build a highly available active-active session service
given time and engineering headcount.

It's hard if you're trying to get out the door fast, though.

~~~
silviogutierrez
Yea I'm not saying it's impossible. But I'm saying it's probably easier to
just make traditional cookies/sessions scale.

I went through my shiny jwt phase. I'm happily back in session land though.

------
kilo_bravo_3
I don't know what answer they're due, except "This happened because you reused
a password".

------
tobr
Why are Disney+ customers referred to as “fans”?

~~~
geodel
I guess similar reason Restaurants' customers are referred to as guests.

~~~
tobr
Huh, not really? A “fan” is an enthusiast or admirer. It implies a certain
type of relationship to the thing you are a fan _of_.

I don’t know that “guest” implies anything similar, it’s just a visitor.

~~~
imgabe
Guest implies that you have been invited and expect to receive hospitality
from your host. Visitor is just someone who showed up somewhere.

------
bobbonew
OP you can do better with that title. We all know it wasn’t “hacked”.

~~~
mcbits
Disney apparently wasn't hacked, but the users were. Password guessed/stolen =
account hacked in common parlance.

~~~
buzzerbetrayed
In common parlance, yes. However, I would argue it doesn’t mean that on hacker
news.

~~~
mcbits
The BBC doesn't write for Hacker News. And I would argue that just about
everyone here understands what "hacked" means in this context anyway.

------
derrikcurran
I recently had some suspicious activity on my HBO and Hulu accounts. I checked
my email address on haveibeenpwned.com and found some pastebin links at the
bottom from August 2019. Sure enough, my email and password for HBO were there
in plain text along with many others. The format was like this:

    
    
      ================
      notarealperson@email.com:password123
      Subscription: Your HBO NOW subscription is billed through 
      [HBO]
      Expiry Date: September 20, 2019
      21 Days Remaining
    

I haven't figured out the source yet. It's possible that someone just took
these recent dumps and ran them against Disney+

------
aaron695
> Disney+ fans without answers after thousands hacked

A google search of one of the email:password came up with a Soundcloud 2018
email:password dump.

Seems like a everyday dump of reused passwords.

That happens everyday for all the services.

Just seems like everyone wants to take down Disney. Like OMG that had an issue
on the first day streaming!

I also want to see them fail, but for no good reason I just enjoy seeing
people fail, I guess I'm not alone.

------
calvinbhai
I thought Disney+ rollout would have no hiccups, because I thought Hotstar (I
think it is mostly India based content) owned by Disney did quite well during
the cricket world cup, in terms of live streaming (which I thought is more
complex than streaming movies).

My respect for Netflix goes up each time a new streaming service has a hiccup.

------
magashna
It would really make me laugh if Disney was at fault but it sounds like people
with compromised credentials reusing those same creds.

~~~
Bootwizard
How do you know of your credentials are compromised?

~~~
skyo
Probably the best way to check is
[https://haveibeenpwned.com/](https://haveibeenpwned.com/)

~~~
dagurp
Or [https://monitor.firefox.com/](https://monitor.firefox.com/) (which is
basically the same thing)

