Thousands of Disney+ subscribers say they’ve been hacked since signing up for the new streaming service.
Hackers have allegedly already stolen thousands of customer accounts, according to the BBC.
Ten million people signed up for the service since its launch on Nov. 12.
Hours after the service launched, customers reported being locked out of their accounts.
Thousands of accounts were soon for sale on the dark web for as little as $3, according to Zdnet. Disney+ costs $6.99 a month.
The subscriptions available on the dark web show what type of subscription the customer bought (monthly, yearly, bundle with ESPN+, etc.), what country the service is based in (it has only launched in the U.S., Canada and the Netherlands, so far) and when the subscription expires.
Customers who have been locked out of their accounts reported their email addresses and passwords were changed.
Jason Hill, a cybsersecurity researcher, told the BBC many people reuse passwords across websites and accounts, which likely played a large part in this hack.
“Whilst many may consider having a unique password for each online service to be difficult to manage, password managers simplify this process and allow you to generate and securely store unique difficult-to-guess passwords,” he said.
Disney+ does not currently have two-factor authentication, a feature that requires users to answer a prompt on a secondary device when logging in to a website or service.