It can be tempting to share your various service logins with a pal, especially because they ain’t getting any cheaper. But you might think twice before handing those Netflix or Disney+ credentials over to a friend—particularly if your password and account protection protocols are lax.
Earlier this month, an investigation by ZDNet found that Disney+ accounts were being sold on the dark web just days after the streaming service’s launch on November 12. In a statement, a spokesperson for the company said that it had no reason to suspect a data breach, adding that billions of credentials “leaked from previous breaches at other companies, pre-dating the launch of Disney+, are being sold on the web.”
“We continuously audit our security systems and when we find an attempted suspicious login we proactively lock the associated user account and direct the user to select a new password,” the Disney spokesperson said in a statement. “We have seen a very small percentage of users in this situation and encourage any users who are having these kind of issues to reach out to our customer support so we can help them.”
Harris Poll research done in partnership with Google and published in October found that 43 percent of a nationally representative sample of 3,419 U.S. adults said that they’ve shared a password with someone in the past. Of those, 22 percent have shared their password for a TV or movie streaming service. But sharing passwords can put your account at risk for a number of reasons.
First, people frequently reuse passwords for accounts. According to the Harris Poll findings, 66 percent of respondents reused the same password for multiple accounts, meaning that sharing login credentials for a single account with someone else could put multiple accounts at risk—as appears to have been the case for hundreds and possibly thousands of Disney+ customers.
David O’Brien, a senior researcher and assistant research director for privacy and security at Harvard University’s Berkman Klein Center for Internet & Society, recently told Gizmodo by phone that password for services like Disney+ and Netflix sharing is highly inadvisable.
“I think it’s generally not a great idea because you’re giving your credentials to someone else who might not have your best interest in mind when it comes to your security, so it does raise the possibility that those credentials could be lost in some way. You never know how they could be used,” O’Brien said. “We’ve seen plenty of attacks in the past that indicate it’s often possible using multiple accounts from different services to triangulate in and get access to something you really care about.”
Worse is the tendency to create passwords that are easy to remember and, therefore, easier for password crackers to guess, making an account susceptible to brute-force attacks. According to the Harris Poll findings, 59 percent of users incorporated a name or birthday into their password for an account, with 22 percent of those using their own name, 15 using a partner’s name, and 33 percent using a pet’s name—information that might easily be found on social media or through previously compromised credentials.
Plus, since many of us likely assume we’ll be sharing our streaming service logins, it stands to reason that we are more likely to create easy-to-remember passwords for those services, which is a great way to get your account completely hijacked.
When it comes to individual security protocols, simply switching a letter or number in a password for an account a user perceives to be low risk—such as the login for a streaming service—is not good enough, and users shouldn’t assume that the worst that can happen is that someone will get to mooch off their streaming access. But again, jeopardized logins can still put other accounts at risk.
In order to best protect your account, enabling two-factor authentication where it’s available is a good way to safeguard against brute-force attacks, O’Brien said, regardless of the service. And yes, that means your streaming accounts. Unfortunately, neither Disney+ nor Netflix has indicated that they care enough about your security yet to put two-factor authentication in place on their platforms, which means you should be extra careful with those credentials.
You should also be using unique and randomly generated passwords for every single account—one you don’t even have to know to begin with. Using a password manager like 1 Password or LastPass can help manage the dozens or hundreds of account logins while also allowing you to create unique, randomly generated passwords for each of those individual accounts with a click. Treat your passwords like you’d treat Baby Yoda and protect that shit.