Cybersecurity news headlines for 1-30 November, 2019

November’s edition of cybersecurity news headlines is a short one. We have just three stories to report on. Hours after the much anticipated streaming service Disney+ launched, accounts were already for sale of hacking forums. Smartphone manufacturer OnePlus and telecommunications giant T-Mobile both disclose data breaches, which exposed some of users’ personal information.

In no particular order, here’s what made the biggest headlines in cybersecurity in November.

Disney+ accounts for sale on hackers forums, hours after launch

Highly anticipated streaming service Disney+ launched on November 12, 2019, and within hours stolen accounts were already being sold on hacking forums for up to $11. Streaming services like Netflix, HBO, and Hulu have had this issue for a long time, but they have been around for many years. Seeing Disney+ accounts for sale some hours after launch is quite surprising.

While Disney+ is currently only available in the US, Canada and the Netherlands, millions of users have signed up for the service. Within hours, complaints started coming in about users being unable to access their accounts. According to many reports, hackers were able to access accounts, log out the owners, and change the login information, essentially locking owners out of the accounts they paid for. The primary cause for this is likely users’ tendency to reuse passwords.

According to reports, the accounts are being sold with prices ranging from $3 to $11. While a one month subscription for Disney+ costs $7, users can purchase yearly subscriptions for $69.99, which is why some accounts are sold for $11. Technology website ZDNet reports that some account credentials were give away for free.

Password reuse has always been an issue, and no matter how many times users are warned not to do it, they still use the same password for multiple accounts. For some Disney+ users, password reuse could have allowed hackers access. There are special tools that automatically insert login credentials obtained from past data breaches, which allows hackers to steal accounts in a matter of seconds and with little effort. Another way hackers could have stolen account credentials is if users’ computers had keyloggers installed on them.

One thing Disney+ can do to protect its users is to introduce two-factor-authentication. So even if someone had users’ login credentials, they would not be able to access the account without entering a code or verifying in some other way.

Smartphone manufacturer OnePlus reveals data breach

Chinese smartphone manufacturer OnePlus revealed a data breach that impacts its online store customers. The breach, which took place in mid November, revealed customers’ personal information, including names, phone numbers, emails and shipping addresses. According to OnePlus, passwords or financial data were not stolen or accessed.

The company first noticed that an unauthorized party was accessing users’ order information while monitoring their systems. According to a FAQ posted about the breach, OnePlus took immediate steps to stop the unauthorized access but not before he/she were able to take off with personal information.

Before announcing the breach to the public, the company informed affected users via email. Users who have not received the email can rest assured their data is safe. Relevant authorities have been informed of the incident.

While the exact cause of the breach is not specified, it is believed that a vulnerability in the website was responsible. The exact number of impacted users has not been named.

“We’ve inspected our website thoroughly to ensure that there are no similar security flaws. We are continually upgrading our security program – we are partnering with a world-renowned security platform next month, and will launch an official bug bounty program by the end of December,” the company said.

T-Mobile discloses security breach

Mobile telecommunication company T-Mobile has disclosed a data breach that impacts its prepaid service customers. In a statement, T-Mobile says their security team discovered unauthorized access to prepaid wireless account information, which they promptly shut down.

“Our Cybersecurity team discovered and shut down malicious, unauthorized access to some information related to your T-Mobile prepaid wireless account,” the company said in the statement.

According to T-Mobile, the unauthorized party was able to gain access to information associated with users’ prepaid service accounts, which includes names, billing addresses, phone numbers, account numbers, rate plans and features. No financial data, social security numbers, or passwords were accessed.

Authorities have been contacted, and impacted users were informed via text messages. Users are recommended to confirm or update their PINs on their T-Mobile accounts for additional protection.

The company has not disclosed how many users were impacted, or how exactly the breach happened in the first place.