WATCH LIVE: President Trump’s attorneys begin making their case in impeachment trial

Disney Plus user accounts already found on hacking sites

A Disney+ streaming service sign is pictured at the D23 Expo, billed as the "largest Disney fan event in the world," on August 23, 2019 at the Anaheim Convention Center in Anaheim, California. - Disney Plus will launch on November 12 and will compete with out streaming services such as Netflix, Amazon, HBO Now and soon Apple TV Plus. (Photo by Robyn Beck / AFP) (Photo credit should read ROBYN BECK/AFP via Getty Images)

Disney says its new Disney Plus streaming service doesn’t have a security breach, but some users have been shut out after hackers tried to break into their accounts.

The news site ZDNet found stolen account usernames and passwords selling for $3 on underground hacking forums. Disney’s streaming service costs $7 a month or $70 a year.

Disney Plus comes as Disney and other traditional media companies seek to siphon the subscription revenue now going to Netflix and other streaming giants. Disney is hoping to attract millions of subscribers with its mix of Marvel and Star Wars movies and shows, classic animated films and new series.

Helped by promotions, including a free year for some Verizon customers, the new service attracted 10 million subscribers the day it launched last week. The popularity led to some technical difficulties in the opening hours. Those problems have largely been resolved.

Disney says there’s no indication of a security breach compromising passwords. It says it takes the privacy and security of users’ data seriously. Disney Plus hasn’t said how many subscribers have had security problems.

It’s likely hackers found email and password combinations re-used by Disney Plus subscribers after they’d previously been stolen from other online services.

Paul Rohmeyer, a professor at the Stevens Institute of Technology in Hoboken, New Jersey, said he’s surprised that streaming services haven’t yet implemented better security such as multi-factor authentication, in which users must enter a code sent as a text message or email when logging in from a new device. The code helps ensure that people using stolen passwords or guessing them can’t use a service without also having access to the legitimate user’s phone or email account.

Rohmeyer says services may be hesitant to implement tougher security because they don’t want to be seen as more inconvenient than competitors.

Multi-factor authentication is an option for many non-streaming services, including Google, Facebook and Apple, but the extra security must be turned on. Disney Plus does require codes sent by email when changing account passwords, but it doesn’t use them for logging in from new devices.

Notice: you are using an outdated browser. Microsoft does not recommend using IE as your default browser. Some features on this website, like video and images, might not work properly. For the best experience, please upgrade your browser.