Warning about hacked emails

I haven’t seen anything posted here yet about this, and although it may have been discussed in a thread about Disney+ it deserves more attention.

As many of you will have seen, email accounts connected to Disney+ have been hacked.

There have been a lot of reports over on the DIS about emails from “Disney” with apparent changes to FPs. Best advice is to ignore them and, as always, do not open any attachments! Instead, check MDE to see if any changes have indeed been made (which is highly unlikely).


I thought that the Disney+ wasn’t really a hack in the traditional sense so much as it was the bad people have a bunch of email addresses and passwords from other sites and gave it a whirl on D+ to see if it worked.
I was having trouble with my DH’s MDE account this past week b/c he had two and the IT CM I spoke with on the phone indicated that multiple MDE accounts were being created because people didn’t realize that they should use the same email login for D+ as for their MDE accounts. We had multiple because DH was logging into DVC with a username, not an email, so the system kept creating new MDE accounts for him. It was quite a mess.

Credential Stuffing

The strategy is pretty straightforward. Attackers take a massive trove of usernames and passwords (often from a corporate megabreach) and try to “stuff” those credentials into the login page of other digital services. Because people often reuse the same username and password across multiple sites, attackers can often use one piece of credential info to unlock multiple accounts.

Interesting article. Thanks. I still can’t figure out what the bad guys can do with that data, though.

Username and password breach is the first stepping stone to identity theft. Personal information has a price and is highly marketable. They sell it to other bad people who use it to try and hack into your financial accounts and gain other profitable personal info like ss#, address, mothers maiden name.

1 Like

Yes, but why use the email addresses to send fake emails? I mean, they won’t see the outcome, so it’s not even as if they have their fun that way. :woman_shrugging:

To verify that it’s a legit email.

But how will they know?

An email saying “your FP has been changed” - what use is that? :woman_shrugging:

If they don’t get a “mail doesn’t exist” or “mail is not valid” email back… bingo, they’ve verified that your email is valid. And they know your password. Now imagine you use the same password in Paypal or Netflix or Amazon… you’re going to be seeing a lot of charges in your account very soon!

1 Like