A week after launching, Disney+, the online subscription streaming service from the Walt Disney Company has been hacked and thousands of users found their account details compromised.

The compromised accounts are being sold for between $3 and $11 each on the dark web, ZDNet reported Saturday, but the how they were compromised remains officially unknown. Disney+ users started complaining of being hacked on social media shortly after the service launched, claiming those behind the hack changed their account’s email and password.

One theory, though speculative, is that the accounts have been compromised because of password re-use, wherein users used the same password they have previously used on other sites to subscribe to Disney+. There are vast online repositories of hacked accounts that expose usernames or emails with the password used. Should a Disney+ account holder have used the same details for their account, having their Disney+ account broken into this way isn’t a great surprise.

Others suggested that the security used by Disney+ was seriously lacking, particularly given that all Disney accounts are linked together, including accounts for the Disney store and its parks.

@disneyplus HUGE security issue- all Disney accounts are linked together so they have the same password. This means a hack on one is a hack on all. Spending the morning on the phone with Disney Vacation Club. Got access back to DVC and https://t.co/v9x89JdYtW but not Disney+ :(

— Alicia (@juliothegato) November 17, 2019

Disney responded to the reports by suggesting that the hacking “most likely” occurred because of shared password combinations. “As part of our standard operating procedures, if our systems notice suspicious login activity on a user’s online account with The Walt Disney Company, as a precaution, we will lock their account and request a password reset,” Disney said in a statement.

Niels Schweisshelm, technical program manager at bug bounty firm HackerOne Inc., told SiliconANGLE that it’s no common for cybercriminals to jump on a big new consumer launch. Indeed, he said, the scale of fresh accounts means it’s very much worth their while to invest in attempting to compromise them.

“This research should act as a reminder to all consumers about the importance of securing online accounts with strong, complex passwords,” Schweisshelm advised. “The trouble is, passwords are the worst option for secure authentication, but we don’t yet have anything better.”

Organizations can do their part, he added, by pushing or even mandating two-factor authentication that requires to forms of I.D., so that even if passwords are breached, the damage is contained. “However, I don’t think we’ll see easy, small-scale theft like that of streaming service accounts brought under control anytime soon,” he said.

Image: Disney