wordpress blog stats
Connect with us

Hi, what are you looking for?

Hotstar cites “data breach on other platforms”, phases out email logins

Disney+ Hotstar is phasing out passwords for login authentication, saying that some of its users’ accounts were compromised because of “data breaches on other platforms”, the company said in emails to users that it started sending at least earlier this month. The company did not go into details of what exactly these breaches were. A copy of Hotstar’s email to users is shared below.

Will this have an impact on password sharing? In all probability, Hotstar will benefit from premium users facing more friction in sharing their accounts with others, as OTP-based authentication requires account holders to provide a new code for each login. This approach makes password sharing, while not impossible, much more burdensome.

Hotstar blames weak and reused passwords

Some users have been complaining to Hotstar about their accounts being compromised for some time now. Hotstar has been responding to them that reused or weak passwords were causing these incidents, not a breach on their own servers. The company has been providing this templated response to users since May 2019, when their current head of information security, privacy and trust joined the company.

The company has not been allowing new accounts to be created with email addresses since February, Gadgets 360 had reported. It is unclear if any of the breaches cited by Hotstar came from organisations that were working with the OTT platform; Dunzo disclosed a breach earlier this month where vulnerabilities on third party platforms exposed their users’ data. We have reached out to Hotstar for comment (see our questions to the company below).

Why is Hotstar entirely phasing out email logins?

It is not uncommon for password reuse to lead to users’ accounts being compromised accounts elsewhere. Since at least 2016, Netflix notifies users whose login credentials they find on security breaches. The Naked Security blog by Sophos notes that Amazon does the same thing.

It’s unclear if Hotstar did such audits on data breaches on the web and alerted affected users. Disney+, which is headquartered in the US, faced the exact same issue mere hours after it launched, but continues to provide email address and password-based login as the primary way for users to login.

Of course, OTP-based logins are not without risk either, since SMS is more vulnerable to interception than, say, end-to-end encrypted messaging or password-protected emails. The service continues to allow users to sign up and sign in using Facebook, but requires an additional click to access this feature:

Source: Hotstar

Questions to Hotstar

We reached out to Hotstar with the following questions on the breach:

  • Since when has this transition [to OTP-based logins] been planned? When will it finish?
  • When did Hotstar stop giving new users the option to sign up using their email address?
  • Are any of the breaches on third party websites mentioned by Disney+ Hotstar vendors for the Hotstar service, or have they ever been?
  • Why did these third party breaches contain working credentials for Hotstar users? Can Hotstar definitively state that its own servers were not breached?
  • Was a security notification issued in the past by Hotstar around these breaches to affected users, and to the general public? If no, why not?
  • What will happen to accounts which do not provide a mobile number by the time this transition has finished?

Hotstar’s email to users

Here’s Hotstar’s email to users on the move to OTP-based logins.

Action Required: Link your mobile number

Hi there ?

We are here to make your account more secure. As we begin phasing out email logins, we strongly recommend you to link your mobile number with this account registered with Hotstar for future logins. To do this, please follow the link below.

Link Your Mobile Number

Linking mobile number will log you out of all devices, so you can use this mobile number for all your future logins. We assure you it’s all for a secure and seamless experience moving forward.

Why is this important?

In light of the recent events where few Hotstar accounts were found to be compromised due to data breaches on other platforms, we want you to have an unhindered entertainment experience. Linking your mobile number ensures that OTP (one-time pin) is required for authentication on every login which unlike password cannot be reused. Be rest assured, the linked mobile number will only be used for internal purposes.

Please note, the link will expire within 24 hours. For any other queries or complaints, write to us at hello@hotstar.com.

Thank you for using Disney+ Hotstar!
Team Disney+ Hotstar

Also read

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



By Rahul Rai and Shruti Aji Murali A little less than a year since their release, the Consumer Protection (E-commerce) Rules, 2020 is being amended....


By Anand Venkatanarayanan                         There has been enough commentary about the Indian IT...


By Rahul Rai and Shruti Aji Murali The Indian antitrust regulator, the Competition Commission of India (CCI) has a little more than a decade...


By Stella Joseph, Prakhil Mishra, and Surabhi Prabhudesai The recent difference of opinions between the Government and Twitter brings to fore the increasing scrutiny...


This article is being posted here courtesy of The Wire, where it was originally published on June 17.  By Saksham Singh The St Petersburg paradox,...

You May Also Like


While the lawsuit alleges that Disney’s move has resulted in a huge financial loss for Johansson, the pandemic has hit movie theatres hard and induced...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ