wordpress blog stats
Connect with us

Hi, what are you looking for?

Hotstar cites “data breach on other platforms”, phases out email logins

Disney+ Hotstar is phasing out passwords for login authentication, saying that some of its users’ accounts were compromised because of “data breaches on other platforms”, the company said in emails to users that it started sending at least earlier this month. The company did not go into details of what exactly these breaches were. A copy of Hotstar’s email to users is shared below.

Will this have an impact on password sharing? In all probability, Hotstar will benefit from premium users facing more friction in sharing their accounts with others, as OTP-based authentication requires account holders to provide a new code for each login. This approach makes password sharing, while not impossible, much more burdensome.

Hotstar blames weak and reused passwords

Some users have been complaining to Hotstar about their accounts being compromised for some time now. Hotstar has been responding to them that reused or weak passwords were causing these incidents, not a breach on their own servers. The company has been providing this templated response to users since May 2019, when their current head of information security, privacy and trust joined the company.

Advertisement. Scroll to continue reading.

The company has not been allowing new accounts to be created with email addresses since February, Gadgets 360 had reported. It is unclear if any of the breaches cited by Hotstar came from organisations that were working with the OTT platform; Dunzo disclosed a breach earlier this month where vulnerabilities on third party platforms exposed their users’ data. We have reached out to Hotstar for comment (see our questions to the company below).

Why is Hotstar entirely phasing out email logins?

It is not uncommon for password reuse to lead to users’ accounts being compromised accounts elsewhere. Since at least 2016, Netflix notifies users whose login credentials they find on security breaches. The Naked Security blog by Sophos notes that Amazon does the same thing.

It’s unclear if Hotstar did such audits on data breaches on the web and alerted affected users. Disney+, which is headquartered in the US, faced the exact same issue mere hours after it launched, but continues to provide email address and password-based login as the primary way for users to login.

Of course, OTP-based logins are not without risk either, since SMS is more vulnerable to interception than, say, end-to-end encrypted messaging or password-protected emails. The service continues to allow users to sign up and sign in using Facebook, but requires an additional click to access this feature:

Source: Hotstar

Questions to Hotstar

We reached out to Hotstar with the following questions on the breach:

  • Since when has this transition [to OTP-based logins] been planned? When will it finish?
  • When did Hotstar stop giving new users the option to sign up using their email address?
  • Are any of the breaches on third party websites mentioned by Disney+ Hotstar vendors for the Hotstar service, or have they ever been?
  • Why did these third party breaches contain working credentials for Hotstar users? Can Hotstar definitively state that its own servers were not breached?
  • Was a security notification issued in the past by Hotstar around these breaches to affected users, and to the general public? If no, why not?
  • What will happen to accounts which do not provide a mobile number by the time this transition has finished?

Hotstar’s email to users

Here’s Hotstar’s email to users on the move to OTP-based logins.

Action Required: Link your mobile number

Hi there ?

We are here to make your account more secure. As we begin phasing out email logins, we strongly recommend you to link your mobile number with this account registered with Hotstar for future logins. To do this, please follow the link below.

Advertisement. Scroll to continue reading.

Link Your Mobile Number

Linking mobile number will log you out of all devices, so you can use this mobile number for all your future logins. We assure you it’s all for a secure and seamless experience moving forward.

Why is this important?

In light of the recent events where few Hotstar accounts were found to be compromised due to data breaches on other platforms, we want you to have an unhindered entertainment experience. Linking your mobile number ensures that OTP (one-time pin) is required for authentication on every login which unlike password cannot be reused. Be rest assured, the linked mobile number will only be used for internal purposes.

Please note, the link will expire within 24 hours. For any other queries or complaints, write to us at hello@hotstar.com.

Thank you for using Disney+ Hotstar!
Team Disney+ Hotstar

Advertisement. Scroll to continue reading.

Also read

Written By

I cover the digital content ecosystem and telecom for MediaNama.

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



The Delhi High Court should quash the government's order to block Tanul Thakur's website in light of the Shreya Singhal verdict by the Supreme...


Releasing the policy is akin to putting the proverbial 'cart before the horse'.


The industry's growth is being weighed down by taxation and legal uncertainty.


Due to the scale of regulatory and technical challenges, transparency reporting under the IT Rules has gotten off to a rocky start.


Here are possible reasons why Indians are not generating significant IAP revenues despite our download share crossing 30%.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ