Information Security
account-security icloud
Updated Sun, 04 Sep 2022 00:01:10 GMT

Someone created a Disney+ account with my e-mail address. Are there any security concerns?


I got an Email (to my iCloud address) from Disney+. The email contained a subscriber agreement. I did not register for their service myself. On the Disney+ website I saw that there was indeed an account for my email address. Using "forget password" I was able to log into the account and change the password.

I contacted Disney support, asking them to delete the account. However, they said that they can not delete the account since there is a running subscription via iCloud. This subscription has to be cancelled in order for the account to be deleted.

At this point I was very concerned that someone has hacked into my iCloud (which runs under email address used for the Disney+ account). So I logged into my iCloud and checked the running subscriptions and active devices but there was no suspicious activity at all and no Disney+ subscription listed.

My questions are:

  • is it technically possible that the Disney+ Account is connected to my email-address but using a different (unknown) iCloud account for the subscription?
  • are there any security concerns for me or have I just randomly be given a free Disney+ account (by someone else's mistake)?



Solution

Yes, it's possible to use your email address and pay via credit card, PayPal, subscription cards or the respective mobile providers (Apple / Google Pay). It does not have to be a payment with Apple Pay / your iCloud account. As you are able to login, you should see the used payment method in the account's "billing details".

I do not see any further security concerns on your side. You already checked for an intrusion into your iCloud account and there seems to be none, which is good. You contacted Disney and they did not care (which is questionable). I'd say whoever created this account is going to realize he is no longer able to login and therefore going to cancel the payment subscription sooner or later. Lesson learned for the person who created the account with a random email address.

You probably get a notification email after the subscription has ended, then you are able to delete the account.





Comments (5)

  • +0 – I'm very surprised that Disney is apparently willing to charge a subscription for an account with an unverified (presumably) email address. That strikes me as an obvious no-no. — Jul 24, 2022 at 03:15  
  • +3 – What would someone have to gain by creating an account in someone else's name in the first place? — Jul 24, 2022 at 05:30  
  • +0 – @stevec Speculation: they're using a stolen/hacked credit-card etc. to pay for the service and don't want it tracked back to their email address. — Jul 24, 2022 at 07:26  
  • +0 – @stevec I get this all the time - if you have a good email address, then the peeps who get xyz9@ often mistype and put xyz@ instead. I have firstnamelastname@gmail.com and get all sorts of interesting non-spam emails intended for other people, including legal documents, divorce proceedings, school documents etc. My Netflix account, for example, wasnt originally setup by me - twas an American who set it up 15 years ago, and I cancelled it a week or so later after changing the password (which triggered a lot of password reset attempts) — Jul 24, 2022 at 09:08  
  • +4 – @Moo my dad had some older guy using his email address for ebay. Eventually he logged into the guys account, found his phone number and told him to change the email address associated with the account, or he would close the guy's open bids and delete the account himself — Jul 25, 2022 at 14:35