Thousands of Disney+ accounts have already been hijacked from users all over the world as “hackers” lock account holders out and sell their access on the dark web and message boards, sometimes for more than a legitimate subscription costs.

Calling these people hackers is really giving them too much credit, as they’re really just using information from previous account breaches from different services.

Customers using the same credentials to sign up for Disney+ as they’ve used on other, already compromised websites are using information the “hackers” already have.

Disney maintains there hasn’t actually been any security breach on its end.

“We have found no evidence of a security breach,” Disney told news.com.au last week. “Billions of usernames and passwords leaked from previous breaches at other companies, predating the launch of Disney+, are being sold on the web. We continuously audit our security systems, and when we find an attempted suspicious login, we proactively lock the associated user account and direct the user to select a new password. We have seen a very small percentage of users in this situation and encourage any users who are having these kind of issues to reach out to our customer support so we can help them.”

While some have complained about lengthy responses from the customer support team, at least one Australian who had their account compromised has had a favourable experience.

According to Business Insider Australia, Daniel Lee, 38, received 30 days of Disney+ for free after contacting customer support when his account was compromised.

“To rectify the matter and ensure no downtime for me, they asked me for an alternative email address,” he said. “I re-signed up for the seven-day trial on that email and they bumped it to 30 days free, so I guess I got something out of it.”

Mr Lee told Business Insider he had reused an old password when he initially signed up.

“I had used a password I used for some other accounts way back, so it’s possible someone had just attempted to reuse some stolen credentials of mine and happened to be the same password,” Mr Lee said.

While it’s obviously good practice to use new and unique passwords every time you sign up for a new service or join a social media platform, it’s not a practice that’s widely followed.

Some people use password generators and managers like LastPass or 1Password to remember unique passwords so you only have to remember the one for your password manager, but the rest of us tend to use the same collection of passwords and cycle through them or, even worse, use the same password for everything.

This means massive data breaches that compromise user data, such as the infamous Yahoo hack where every account — all three billion of them — had their information stolen between 2013 and 2014, can reap benefits for hackers years later because people keep using the same password and emails to sign up for new services.

It’s believed this is how Disney+ accounts are being compromised – hijackers logging in and changing the email addresses so you can’t get back in.

Disney sends an email to users when their account details are updated, but by that time it’s usually too late.

The company has attracted criticism for not having a two-factor authentication system on the platform.

Two-factor authentication is an increasingly prevalent second step to protect user accounts, where you receive a code via SMS or over the phone to verify your legitimacy when changing your details or logging into an account on a new device.

You’ve probably come across it before on popular platforms like Instagram or Gmail, but you won’t find it on Disney+ at this stage.

“At this time there is not support for two-factor authentication or the ability for users to remote log out of their service,” Disney said. “We will continue to evaluate features within the services and they are likely to evolve over time, but nothing further to confirm today.”

When asked how the service had taken hold a week into its Australian launch, Disney said it was unable to share that information “due to financial disclosure regulations”.

“(Disney) has no plans to announce any sign-up/subscriber numbers outside of quarterly earnings call, and at this stage there are no plans to break out numbers by country,” the company said.

The company was, however, quick to say more than 10 million people signed up after it first launched in the US, Canada and The Netherlands on November 12.

Have you had your Disney+ account compromised? Let us know in the comments below.