One week after its launch, hacked Disney+ accounts are what is being discussed rather than the new video streaming service. A week ago, Disney launched a highly anticipated video streaming service, and hackers have already found a way to make a buck while ruining your fun. The service, called Disney+, contains not only Disney film favorites but also original content and new shows in the Star Wars universe. Social media sites have been flooded with overjoyed responses from happy customers, as well as complaints from unhappy customers who have lost control over their accounts.

Hackers have been able to infiltrate accounts, change the passwords to lock out the account owners and then post the credentials online for others to use or buy. Rather than the $7-per-month subscription fee, some forums have listed accounts for sale for as little as three dollars from the hacked Disney+ accounts.

There are a couple of ways hackers may have pulled this off, most of which customers can avoid if they are careful.

First, anyone who ever reuses an old username and password combination from another site is playing with fire. If you reuse the login credentials from your MySpace, Yahoo, Adobe,, Bank of America or Capital One account, a hacker with the right information can break in. Again, any previous data breach in which usernames and passwords were stolen means that information may be available on the Dark Web. If you open any new accounts with old information, a hacker may already have access to it, which may be the case for some of the hacked Disney+ accounts.

Next, if you receive an email or text message that someone has changed your account login for any account, do not ignore it or treat it as spam. It can mean that someone is in your account at that very moment, and they are locking you out.

Also, there is some speculation that hackers may have used keylogging software to steal credentials. This can happen when you visit a harmful website and login, click a link or download a file in an email that installs harmful software on your computer or connect over public Wi-Fi and log into an account. By electronically gathering up your keyboard strokes as you type, hackers can grab your login credentials, go into your account and take control.

Once they change your password, you are not only locked out of your account, you are also powerless to delete the account or block the payment method. You must contact customer support immediately if you are ever locked out of an account you own since a hacker may be involved.

Remember, the Disney+ website was not breached. It is the individual users themselves whose accounts have been compromised. Another handy tip to avoid hacks like the hacked Disney+ accounts is to stop announcing on social media whenever you download a new game, try out a new service or some other hot commodity. No one needs to know that you have paid for a subscription, and hackers are standing by (through basic keyword searches online) to see who has got an account they can grab. It is important to avoid oversharing your personal business in this way.

Finally, all of this serves as a great reminder about password hygiene. Apart from never reusing a password on another account, it is a good idea to change up your passwords frequently. The same is true of your security questions, as those are often targeted in a data breach as well. That database of old information the hackers have will not work if you are updating your passwords from time to time.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

You might also like…

Three-Pronged Web Service Data Breach A Cause For Alarm

Virtual Reality Privacy Concerns

Who is Responsible for Fraud Prevention? Join the Fraud Week Twitter Chat with ACFE!

It seems hard to imagine that companies still suffer accidental data breaches, but it happens with alarming frequency and it led to a ‘Magic: The Gathering’ data breach. It may be an employee who downloads some malicious software or falls for a spear phishing campaign, or someone who leaves an unsecured laptop or flash drive out. Regardless of how it happens, what is important is that it happens often enough that more companies should be safeguarding themselves from this kind of threat.

One frighteningly common event is the accidental overexposure, which occurs when a company unintentionally puts its sensitive information online for anyone to find. Sadly, even though they are doing it by mistake, that does not stop malicious people from finding the information and using it.

The most recent example of a company leaving a database of customer information exposed on the internet is Wizards of the Coast, the developer of the popular game, ‘Magic: The Gathering.’ It led to a ‘Magic: The Gathering’ data breach. This card-based game has been widely popular for many years and has a devoted following. Unfortunately, the owners used an unsecured Amazon Web Services bucket. This online server contained customer data for more than 452,000 users, including usernames and hashed and salted passwords. However, the information was not encrypted.

Accidental data breaches like the ‘Magic: The Gathering’ data breach have happened to numerous well-known, large-scale companies recently. It is always with the same issue that the requirement to password protect the server is turned off by default. Unless the company opts to password protect the server and takes the steps to do so, their information can go online without any kind of wall around it.

Unfortunately, TechCrunch reported this incident with a somewhat bothersome finding. A security company called Fidus Information Security discovered the database of information and contacted the game developers. However, there is no way of knowing if anyone else had already compromised the information. In this case, as TechCrunch states, “Fidus reached out to Wizards of the Coast but did not hear back. It was only after TechCrunch reached out that the game maker pulled the storage bucket offline.”

One of the most critical things any company can do during a data breach like the ‘Magic: The Gathering’ data breach is to respond in a timely way. Leaving the information online while looking into the matter or failing to notify the customers of the breach quickly is not the best way to protect anyone. The developer has informed affected customers to change their passwords and has reported the breach to officials who oversee the EU’s privacy compliance regulations.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

You might also like…

Three-Pronged Web Service Data Breach A Cause For Alarm

Virtual Reality Privacy Concerns

Who is Responsible for Fraud Prevention? Join the Fraud Week Twitter Chat with ACFE!

Three web services recently suffered a web service data breach in August. The news broke from Krebs On Security that users of Network Solutions, and may have received notice that an unauthorized user was able to gain access to certain important pieces of information from users’ accounts.

Domain Registration Websites

The three companies in question have a very important place in the online business world. They register website domain names, which means that if you create a website, they may hold the key data around that website. This web service data breach is particularly alarming if your website had sensitive information about the owners—including names, email addresses, phone numbers and physical addresses—which may have been compromised. Sensitive websites might be political in nature, may involve children’s photographs or identifying features or might pertain to marginalized communities of people.

Change Your Password Immediately

So far,, which owns both of the other two registration companies, has only issued a blanket warning to customers to change their passwords. The web service data breach notification is available on a separate section of their website, but none of the companies list this important announcement on their home pages.

If you have registered a website via any of these companies, it is important to change your password right away. However, even if you have not used one of them, it is encouraged to take this time to go to your domain registration company and change your password for good measure.

Watch For More Sophisticated Phishing Emails

Phishing attacks are another serious concern from breaches like the web service data breach. Hackers use or sell your email information in order to flood you with spam emails, mass marketing and fraud attempts. It would be easy for someone to create a fake email that appears to come from one of these companies and then send you an email demanding your login credentials or financial information. Be on the lookout for these kinds of approaches, and know how to respond to a potentially harmful email or text message.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

You might also like…

Adobe Account Information Leaked After Server Left Unsecured

Be on the Lookout for 2020 Census Scams

Hy-Vee Cards Stolen in Recent Data Breach Are Fetching a Higher Price on Dark Web Websites

If you had told someone even ten years ago that a criminal sitting on the other side of the world could steal their credit card information with a simple email, they might have written you off as a conspiracy theorist. Only a few decades ago, identity theft was not even recognized as a crime, let alone something that the police could actually investigate and prosecute. However, as new technology emerges that makes our lives more convenient and more connected, new virtual reality privacy concerns can also appear.

New Tech, New Concerns

That is the current understanding of innovations like virtual reality and augmented reality. These high-tech, digital forms of media—used for everything from education and business to entertainment—create new virtual reality privacy dangers by placing the user in entirely fabricated situations and locations, usually thanks to special software that interacts with their visual hardware.

Popular games like Pokémon Go, for example, allow the player to walk around in the real world while finding virtual characters in their actual surroundings.

Misuse of Your Personal Information

By giving access to your phone, tablet or computer to another platform in order to participate in these kinds of activities, you are opening yourself up to potential new virtual reality privacy concerns. Any time someone else can access your stored photos, camera and Facebook account or friends list, there is a possibility of them misusing that access.

Even worse, any time a platform is free to use, it is a sure sign that your information is being sold to third-parties. You have no way of knowing who those other companies are or what they plan to do with your information.

Virtual Reality User Permissions 

It is important that companies who utilize these technologies understand the new virtual reality privacy concerns of interacting with consumers in this way. However, it is equally important that users know how their information could be compromised. It is a reminder that we all must be cautious about the latest gadgets and games, and to understand what permissions we are granting when we create an account or allow access to our information. If you cannot verify what a company can do with your connection, it is better to play it safe and avoid interacting.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

You might also like…

Adobe Account Information Leaked After Server Left Unsecured

E-Skimming is a New Cybercrime That is Just in Time for the Holidays

Be on the Lookout for 2020 Census Scams

The Association of Certified Fraud Examiners (ACFE) and the Identity Theft Resource Center are teaming up for a very important public event on Twitter.

International Fraud Awareness Week Nov 17-23

The two organizations have partnered to help consumers understand what is fraud, how to recognize a potential fraud attempt, and what to do about it.

This year’s week-long event focuses on the theme, “Who Is Responsible For Fraud Prevention?” The very short answer to this complicated question is: All of us! But without the proper tools and awareness, it can be hard to uncover and protect yourself against fraud attempts and related crimes. Whether you’re an industry professional, a public or consumer advocate, a lawmaker or law enforcement professional, or just someone who wants to know how to protect themselves and their privacy, this event is for you.

For more info:

Join the #FraudWeekChat on Twitter Nov 20

A Twitter chat is an open conversation on the social media platform that anyone is able to join in. In order to read others’ tweets from the chat or contribute your own, you simply add the specific hashtag to your posts or search for it to read. The hashtag, #fraudweekchat, will allow you to see others’ comments and questions, even if you do not currently follow them on Twitter, while also allowing them to see your remarks.

Anyone who has a vested interest in recognizing and preventing fraud attempts—which really means everyone!—is welcome to participate. Simply log into your Twitter account on Wednesday, November 20, at noon ET / 9 a.m. PT, and be sure to follow both the ACFE (@TheACFE) and the Identity Theft Resource Center (@IDTheftCenter) for up-to-date information all year long. Remember to use the #fraudweekchat hashtag by typing the pound symbol and the words at the end of your tweets. Note: If you raise a question that is unanswered, please repeat it; it may have been overlooked in the high volume of traffic during the chat.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

You might also like…

Can you handle this? New @IDTheftCenter social media

New Venmo Scam is Trying to Give You Money, Not Take It Away

E-Skimming is a New Cybercrime That is Just in Time for the Holidays

There is a new Better Business Bureau (BBB) complaint phishing scam making its way around that is hitting the inboxes of consumers, business owners and even charities.

Phishing attempts get their name from the wide net that scammers throw out, hoping to catch a few gullible people in the process. Some reports have even said that ridiculous stories and bad grammar are intentional. The reports have said it helps the scammers only catch the kind of people who are willing to believe that a major corporation sends out emails with terrible typos and awkward sentences.

However, this new BBB complaint phishing scam that appears to come from the BBB pretty much takes the cake:


The Better Business Bureau has received the bellow referred complaint from one of your associate on the subject of their dealing with you. …We look forward to your urgent response. Before we take action on you”

As you can see, the author of this email does not pay much attention to the rules of standard English. Remember, though, that the goal is to only interact with people who would believe an email such as this one would really come from the BBB. Anyone savvy enough to spot the errors and understand that a national company would never release such a message is probably too worldly to fall for the BBB complaint phishing scam including the email address from “”.

However, there is a dangerous aspect to the BBB complaint phishing scam, that being the instructions (removed from the middle of the message for brevity) telling the recipient to download the attachment in order to read the complaint against them. It is noted twice in the email that it must be downloaded to a computer to be read, which is actually not true. The goal is simply to get you to open the attachment, which will undoubtedly install harmful software on your computer.

In order to avoid scams like the BBB complaint phishing scam—even if there is a chance that the message is legitimate—make it a habit to never click a link, download a file, open an attachment or any other dangerous response. Even if you recognize the sender’s name and email address, do not click or open anything unless you were expecting it since their account could have been hacked or spoofed.

Also, learn to be a little bit of a “message detective” when you receive a strange email or text. Is the grammar up to par? Are there strange salutations, like “Dearest Sir or Madam” or simply “Attn” instead of a formal greeting? Do you even have an account with the bank the email supposedly came from? Or in the case of the BBB complaint phishing scam, do you even own a business? If not, how would you be cited by the BBB for complaints about shady business practices?

Remember, scammers do not care if you actually have an account or own a business. All they need you to do is be curious enough to click that attachment. From there, they can root through your computer and find what they want. Do not fall for it.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

You might also like…

Adobe Account Information Leaked After Server Left Unsecured

Be on the Lookout for 2020 Census Scams

Hy-Vee Cards Stolen in Recent Data Breach Are Fetching a Higher Price on Dark Web Websites

According to our 2018 End-of-Year Breach Report, there were a total of 135 financial, credit and banking data breaches, exposing 1,709,013 records last year. In the report, banking/credit/financial had the third-highest amount of data breaches of the five industry categories the Identity Theft Resource Center tracks. Of all the data breaches recorded in 2018, hacking was the most common form of data breaches. That trend has been noticeable throughout our 10,000 Breaches Later blog series and continues to play a role when it comes to financial, credit and banking data breaches.

Sign up for our ITRC Monthly Breach Newsletter for more information on these data breaches.

This is one of many reasons why the ITRC  has been working to empower financial, credit and banking identity theft victims with the resources they need to resolve their cases since 1999. That includes helping people proactively reduce their risk of becoming a victim of identity theft. Since 2005, the ITRC has recorded over 10,000 publicly notified data breaches with monthly and cumulative end-of-year reports.

Last month, we looked at some of the largest government and military data breaches. Now we shift our focus to the top five most impactful financial, credit and banking data breaches (as well as a bonus breach) for consumers.

Capital One

Just three months ago on July 29, 2019, Capital One announced that a hacker had gained access to 100 million U.S. and six million Canadian Capital One customers’ accounts and credit card applications in March of 2019. Individuals and small businesses were affected by this data breach that disclosed names, addresses, dates of birth, email addresses, credit scores, credit limits, payment history and balances. Roughly 140,000 Social Security numbers (SSNs) and 80,000 linked bank account numbers were also exposed. At the time of the breach, the ITRC urged consumers to take action, freeze their credit, be aware of scams and to document all of their steps they were taking if they were impacted (utilizing our ID Theft Help App as one tool). This breach was particularly impactful due to the high amount of SSNs and bank account numbers exposed and the gigantic amount of accounts accessed. A stolen Social Security number can lead to multiple types of identity theft, including financial identity theft, government identity theft, criminal identity theft, medical identity theft and utility fraud.

JPMorgan Chase & Co.

First reported in August of 2014, JPMorgan Chase & Co. experienced a cyberattack that allowed hackers to access the personal information of 76 million households and seven million small businesses. The information accessed included names, addresses, phone numbers, email addresses and internal JPMorgan Chase & Co. information of those users. Customers affected by this breach were those who used, JP Morgan online, Chase Mobile and JP Morgan Mobile. Many JPMorgan Chase & Co. customers were impacted because JPMorgan Chase & Co. did not have to send out notification letters to affected consumers in many states because the breach did not expose sensitive information like account numbers, passwords, dates of birth and Social Security numbers. Instead, Chase posted a blanket statement on the homepage of their website. That left some individuals affected on their own to figure out what to do.


Credit card processing company, CardSystems Solutions, Inc., discovered in May 2005 and reported one month later that they had experienced a  data breach in which a hacker was able to insert a virus into the computer system that captured customer data. Around 40 million Visa and MasterCard credit and debit card accounts were affected. Following the breach, Visa said it would continue to work with CardSystems when the case was resolved. MasterCard said that it would give CardSystems a limited amount of time to demonstrate compliance with MasterCard’s security requirements. The data breach led to Visa and MasterCard dropping CardSystems as their credit card processor. An important point for consumers to understand in this instance, in particular, is that many institutions utilize third-party vendors that can have a detrimental impact on their data even if the consumer is as vigilant as possible.

BNY Mellon Shareowner Services

On February 27, 2008, Bank of New York Mellon (BNY Mellon) lost a box of backup tapes in transit to a storage facility that contained the names, addresses, dates of birth and Social Security numbers of 12.5 million customers. Connecticut Attorney General Richard Blumenthal said he was alarmed and deeply concerned at the time of the breach. Notification letters were sent to those affected in May and the breach had such a large impact the bank went on to hire more customer service representatives to handle the influx of calls from concerned customers. This is a reminder that if you are impacted by a breach, it is important to take the necessary steps to protect yourself.


In October 2015, retail stock brokerage firm, Scottrade, INC., disclosed that hackers had stolen client contact information and SSNs for 4.6 million customers. In an email notice sent to customers, Scottrade said that although SSNs, email addresses and other sensitive data were contained in the accessed system, they believed that only client names and street addresses were the focus of the hack. However, the company said it would offer those affected identity theft protection services “as a precaution.” At the time of the breach, federal authorities were also investigating similar thefts at other financial services companies. It is important for consumers to realize that even if a company believes that only certain records where the targets, any data that may have been compromised opens those impacted to much more risk than an organization may communicate in its notification.

Bonus Breach: First American Financial Corp.

In May 2019, it was reported that financial services corporation, First American Financial Corp., had been exposing a massive 885 million real estate and mortgage-related documents through its website. By simply altering a nine-digit record number attached to a transaction link, users were able to potentially pull up other transaction documents containing information such as names, phone numbers, addresses, driver’s licenses, Social Security numbers, bank account numbers and statements, mortgage and tax records and wire transactions receipts. In an update posted by First American regarding the financial, credit and banking data breach, the investigation only identified 32 consumers whose non-public personal information was likely accessed without authorization. This breach could have led to mortgage fraud where a hacker tries to take out a loan in the victim’s name as well as other types of fraud like title fraud.

As we recap the last 10,000 breaches, the ITRC hopes to help those impacted understand how to minimize their risk and mitigate their data compromises. If you have received a data breach notification letter, call us at 888.400.5530 or LiveChat to talk with a live-advisor on what you should do.

In our final 10,000 Breaches Later blog, we will take a look at some of the biggest education data breaches since 2005 and the effect they have had on children, parents and teachers. For a look at all of ITRC’s 10,000 breaches blogs, visit

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

You might also like…

10,000 Breaches Later: Top Five Military and Government Data Breaches

10,000 Breaches Later: Top Five Medical and Healthcare Data Breaches

10,000 Breaches Later: Top Five Business Data Breaches

A lot of data breaches are the work of highly-skilled hackers who use technical know-how to infiltrate a company’s cyber defenses. Others are not so elaborate, such as when a low-level criminal sends a phishing email to a company employee, one that contains a virus purchased on the dark web. While those two malicious scenarios involve different ability levels, there is a whole other possibility for data breaches, that being accidental overexposures. The Adobe account information leak followed a similar scenario.

When a company employee allows information to simply exist in a way that anyone can steal it, it is called an accidental overexposure. Unfortunately, recent news has demonstrated that far too many businesses are storing their sensitive data in cloud-based storage solutions, then failing to secure it.

As the recently announced Adobe Creative Cloud breach, leading to Adobe account information leaked shows, all it takes is uploading a few customers’ login credentials—or in this case, about seven million customers’ data—to a cloud-based storage bucket and then not switching the default setting of “no password required” to a password-protected option.

Security researcher Bob Diachenko and Comparitech discovered the database of emails, usernames and product selections online, available to anyone who stumbled upon it in their web browser. While some estimates show that the database was left exposed for about a week, there is no way of knowing how long it was visible. The experts who found it alerted Adobe, who secured the database that same day after Adobe Account information leaked.

Unfortunately, with such a common occurrence as this, there is really only one recourse consumers have. It is imperative that all tech users rely on strong, unique passwords for all of their online accounts, and that they change these passwords regularly. That way, if a database is left exposed and a nefarious actor discovers it, the password contained in the database will be useless because it is outdated.

Also, as the information contained in this breach event shows, learning how to spot spam and phishing emails is another way to protect yourself. With limited information such as this, scammers can easily send users emails that masquerade as communications from Adobe, even going so far as to list the exact products the recipients use. Be alert to this kind of tactic, and know how to protect yourself from emailed threats.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

You might also like…

Hy-Vee Cards Stolen in Recent Data Breach Are Fetching a Higher Price on Dark Web Websites

Millions Of Venmo Payments Accessed Publicly

Best Western Open Database Exposes Government Records

If you have never heard of e-skimming before, you probably want to educate yourself, especially with the holidays right around the corner. You may have heard warnings over the years about criminals tampering with credit card swipe systems at stores, gas pumps and other point-of-sale consumer stations. This tampering, known as “skimming,” happens when someone inserts a thin film into the card reader that steals your information and allows the thief to use your account. It is rare that the process is instantaneous, though, as typically the thief has to come retrieve the skimmer in order to download all of the stolen data.

Cybersecurity experts have now uncovered a new threat that works the same way, e-skimming, although it gives the criminal instant access to your account. Even worse, the criminal does not have to tamper with any physical systems and can pull it off from anywhere in the world.

E-skimming happens when a hacker inserts malicious credential-stealing software into a retailer’s website. You think you are checking out with your credit card or debit card—because you are, and your items even arrive as intended—but the hacker is stealing your payment information from the shopping cart in real-time. They may even be using your card or selling the information on the Dark Web before you are done with the transaction.

Unlike physical card skimming, you cannot simply look at a website and tell that a hacker has tampered with the system with e-skimming. The website owner themselves may not even know unless there is an investigation. However, there are some things you can do to protect yourself.

Enable alerts on your cards

Card Not Present” transaction alerts are a good idea anyway, and they are one of your best defenses against e-skimming. This alert, usually sent by text or email, comes from your card issuer and lets you know anytime your card is used to make a number-only purchase. As soon as the transaction is processed, the alert is issued. You can contact your bank immediately and stop the payment from going through, as well as close that card and order a new one.

Monitor your account

It is important that all consumers take a routine peek at their bank and card accounts in order to make sure there is nothing suspicious going on. Your card may be used or sold by a hacker, and there can be a limited window of time for you to dispute any charges in order to avoid accepting responsibility for them.

Use trusted websites and look for HTPPS

Hackers have a fun game of seeing who can earn the most credibility by taking down bigger and bigger targets. However, the more trusted and secure the retailer, the more likely they are to have strong security protocols in place. Avoid sites you are not familiar with, no matter how great the advertised deals are.

Consider a low-limit card for online purchases

Especially with holiday shopping coming up, you might consider a low-limit credit card for use on the internet. It can help reduce the amount of damage a hacker can do if your card information is stolen online.

Pre-plan your holiday shopping

If you are doing a lot of online shopping in the next few weeks, it is a good idea to plan what you will be buying and from which retailers. First, it will help you stick to your holiday budget, but more importantly, you will not be lured into opening dozens of online accounts and spreading your spending around. Limiting where you shop can help reduce your risk of encountering an e-skimmer.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

You might also like…

Don’t Get Scrooged by a Holiday Scam

Boss Phishing Bah Humbug: Don’t Fall for this Holiday Scam!

Millennials at Risk of Identity Theft – This Holiday and Year Round

Can you handle this? 👑 🐝

We’re excited to announce that we have switched our social media handles to @IDTheftCenter and we thought we’d drop the news like a Beyoncé album.

Be sure to follow us on FacebookTwitterInstagram, and LinkedIn for tips to protect your identity, news regarding scams and data breaches, and upcoming events.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

You might also like…

TikTok Platform Found to Be Full of Scams and Fake Accounts

The Most Dangerous Celebrities Online: Being a Fan Can Lead to Malware Attacks

Facebook Lottery Scam Brings Attention to Hoaxes, Phishing Attempts and Account Takeovers