Bingo. People using the same login on multiple sites.
The sellers get Massive email: password lists which are known combo lists. These are usually from hacked sites that have been SQL injected.
People probably all have giant lists of Netflix, Hulu Etc. accounts and then just recheck them on Disney+
Then they'll use a checker app which just mass checks the sites. I imagine Disney don't have a catchpa setup or requiring it after a large amount of failed logins.
There's no point IP limiting logins as most guys will be using massive botnet proxies services that give you a zillion IP's.
We really need even just a 1FA solution that's friendly enough for normal people to use securely. Passwords clearly aren't secure for normal people, and we should stop pretending like they ever were.
It exists already. Disney could just federate their logins to Google, for example, and all these problems are solved for them for free.
Note that both Google and Facebook have extensive infrastructures in place to detect and block password reuse based account hacking. Knowing the password is not enough to always log in to a Google account. In some cases the login process will ask you questions about your account or ask you to receive a code on your phone to verify authenticity. It's a bit like a heuristically triggered and thus easier form of 2FA.
Disney's problem here is that they have tried to make their own global federated account system but without much expertise in doing so. Tech firms have successfully fought off and blocked these attacks years ago.
The sellers get Massive email: password lists which are known combo lists. These are usually from hacked sites that have been SQL injected.
People probably all have giant lists of Netflix, Hulu Etc. accounts and then just recheck them on Disney+
Then they'll use a checker app which just mass checks the sites. I imagine Disney don't have a catchpa setup or requiring it after a large amount of failed logins.
There's no point IP limiting logins as most guys will be using massive botnet proxies services that give you a zillion IP's.