29

I got an Email (to my iCloud address) from Disney+. The email contained a subscriber agreement. I did not register for their service myself. On the Disney+ website I saw that there was indeed an account for my email address. Using "forget password" I was able to log into the account and change the password.

I contacted Disney support, asking them to delete the account. However, they said that they can not delete the account since there is a running subscription via iCloud. This subscription has to be cancelled in order for the account to be deleted.

At this point I was very concerned that someone has hacked into my iCloud (which runs under email address used for the Disney+ account). So I logged into my iCloud and checked the running subscriptions and active devices but there was no suspicious activity at all and no Disney+ subscription listed.

My questions are:

  • is it technically possible that the Disney+ Account is connected to my email-address but using a different (unknown) iCloud account for the subscription?
  • are there any security concerns for me or have I just randomly be given a free Disney+ account (by someone else's mistake)?
Community
  • 1
Jan
  • 301
  • 2
  • 8
  • 1
    I have a very common name. It's surprising how many people looking for a bogus email address hit on mine. I do the same thing you've done, namely change the passwords. I've also canceled hotel and airline reservations. After all, if there were problems, the hotel, airline, etc. would presumably think the problems were my fault. – Bob Brown Jul 23 '22 at 20:19
  • 9
    I had the same thing. In my case it blocked me signing up for Disney Plus myself as the email address was already in use. I had the same conversation with customer service who refused to do anything. I logged in and changed the password but was unable to close the account using it (or just change the email address to some other address than mine) as I didn't know their PIN. They badly need to validate ownership of email addresses! – Martin Smith Jul 24 '22 at 00:25
  • 15
    Taking over an account that does not belong to you can have legal and criminal implications in some jurisdictions. Just because you control the email does not mean you have permissions to someone else's account on another service. – schroeder Jul 24 '22 at 07:48
  • 2
    "I was able to log into the account and change the password" can be a big security issue if you use the same email/password combination elsewhere, especially if you didn't make 100% sure you logged in to the real Disney site. – Guntram Blohm Jul 24 '22 at 09:18
  • 3
    @GuntramBlohm - just to be clear the mechanism presumably used was to use the "forgot password" facility to get an emailed link to reset the password. So the original credentials aren't ones reused elsewhere. Of course then standard advice about not reusing passwords should apply. – Martin Smith Jul 24 '22 at 09:33
  • 1
    What country are you based in? And can you see what country the owner of the account is based in? Under some privacy laws, e.g. the European GDPR, Disney+ have a legal obligation to ensure any personal information they hold is correct; so associating the wrong e-mail address with someone's account (which they are now knowingly doing, since you've pointed it out to them but they haven't fixed it) would potentially be illegal. Pointing that out to them might get their attention. – IMSoP Jul 25 '22 at 12:01
  • So are you saying that Disney+ is adding emails **without verification**? Or did you receiv an email like "verify your email address on Disney+, click here (if you did not subscribe to Disney+ ignore this email)" and you clicked instead of ignoring the email? – GACy20 Jul 26 '22 at 06:35
  • @GACy20 - they add them without verification. In my inbox the first email I ever received from them was an email sending a one-time passcode. Then subsequently I got a few more of those and ignored them. There was no email from them with a link to click to validate ownership or possibility to disavow the account in the emails that were sent. Presumably they do this to avoid "friction" in the sign up as they still get the money anyway and don't want to impose any additional hurdles in the way of that – Martin Smith Jul 26 '22 at 08:03
  • @MartinSmith That's idiotic... I can understand not waiting for email verification before the purchase **but** they should still send a verification email and you should still be able to remove the wrong email address... having the wrong email address is worse than having no address associated with the account since, not only you cannot communicate with the customer, but you either waste money sending to an not-existing address or you are pissing off an other potential customer... so there is no excuse – GACy20 Jul 26 '22 at 09:16
  • @schroeder you have the issue upside down, you didn't steal the account, it was created with YOUR email address so it's your account. The issue is that it was paid for with a credit card that is NOT yours, and if it's the creator's they could claim you stole their CC info. – Harper - Reinstate Monica Jul 26 '22 at 16:26
  • @Harper-ReinstateMonica no, absolutely not. c'mon. Just because it was created with your email address does ***not*** make it yours. That's a 5 yr old's thinking ("I can touch it, therefore it is mine"). You did not agree to the ToS or the subscriber agreement. You did not issue payment. The contract is not with you. It is not your account. Why am I having to explain this to so many people?? – schroeder Jul 26 '22 at 18:50
  • @schroeder that's only true if you do not touch it. But OP reset the password and took control of the account, using the site and thus consenting to TOS etc... and is now in a position to enjoy the content. The other guy could say OP took advantage of an honest error in entering email. – Harper - Reinstate Monica Jul 26 '22 at 19:46

3 Answers3

28

Yes, it's possible to use your email address and pay via credit card, PayPal, subscription cards or the respective mobile providers (Apple / Google Pay). It does not have to be a payment with Apple Pay / your iCloud account. As you are able to login, you should see the used payment method in the account's "billing details".

I do not see any further security concerns on your side. You already checked for an intrusion into your iCloud account and there seems to be none, which is good. You contacted Disney and they did not care (which is questionable). I'd say whoever created this account is going to realize he is no longer able to login and therefore going to cancel the payment subscription sooner or later. Lesson learned for the person who created the account with a random email address.

You probably get a notification email after the subscription has ended, then you are able to delete the account.

PasWei
  • 722
  • 3
  • 14
  • 27
    I'm very surprised that Disney is apparently willing to charge a subscription for an account with an unverified (presumably) email address. That strikes me as an obvious no-no. – Kevin Jul 24 '22 at 03:15
  • 3
    What would someone have to gain by creating an account in someone else's name in the first place? – stevec Jul 24 '22 at 05:30
  • 23
    @stevec Speculation: they're using a stolen/hacked credit-card etc. to pay for the service and don't want it tracked back to their email address. – TripeHound Jul 24 '22 at 07:26
  • @TripeHound ohhhh makes sense. Thanks for clarifying. – stevec Jul 24 '22 at 07:27
  • 33
    @stevec I get this *all* the time - if you have a good email address, then the peeps who get xyz9@… often mistype and put xyz@… instead. I have firstnamelastname@gmail.com and get all sorts of interesting non-spam emails intended for other people, including legal documents, divorce proceedings, school documents etc. My Netflix account, for example, wasnt originally setup by me - twas an American who set it up 15 years ago, and I cancelled it a week or so later after changing the password (which triggered a lot of password reset attempts…) – Moo Jul 24 '22 at 09:08
  • 4
    @Moo my dad had some older guy using his email address for ebay. Eventually he logged into the guys account, found his phone number and told him to change the email address associated with the account, or he would close the guy's open bids and delete the account himself – Esther Jul 25 '22 at 14:35
  • @Kevin In my experience, the majority of online services that get money direct from the user won't care if the email address is owned by that user, as long as the payment method is valid. US Netflix definitely doesn't. It's the free ones that require confirmation, because whoever's providing the money wants confidence about real users. – notovny Jul 25 '22 at 19:11
  • @notovny Dropbox didnt validate email addresses until they had charged for services for more than 5 years - when they finally required email verification they ran into a lot of issues. – Moo Jul 26 '22 at 02:28
  • @moo yup, I have exactly that. I had the perfect gmail address, and somebody who has a variation of mine, keeps reading it over the phone to people who hear it as mine, and some of them are shady and I now get 500 spam mails a day. But yes, email verification is a nightmare, we have a "join our email list" signup, and 40% never confirm. – Harper - Reinstate Monica Jul 26 '22 at 16:33
8

While it is possible someone else created the account and paid for it, it's pretty unlikely.

It's more likely it's actually your account. Did you recently get a new phone or phone contract? Verizon, and probably others, offer temporary free Disney+ accounts and often automatically set them up.

Log back into the account and examine the billing information carefully to see how it's paid. Be doubly careful with PayPal as vendors commonly default the initial payment as recurring, allowing them to bill you for subsequent payments without notification.

In the end, the only risk to you is billing. Find out how it's billed.

user10216038
  • 7,552
  • 2
  • 16
  • 19
  • 11
    Why do you think "It's pretty unlikely"? It also happened to me and another answerer to this question. Disney apparently don't do any basic validation that the email addresses entered actually belong to the person signing up (e.g. to catch typos or just deliberately bogus addresses) – Martin Smith Jul 24 '22 at 00:17
  • 1
    I get emails fairly often welcoming me to services I never signed up for, and I always go to the service, log in via "forgot my password", change the password to something completely random, ensure no purchases were made that I would care about, and, if possible, terminate the account. Just yesterday I got such an email from Zoosk where someone had created a profile with my email claiming to be a 70-something-year-old from Wisconsin (and apparently tried to use a prohibited profile image). Someone using OP's email to create a Disney+ account is way more likely than you might think. – Abion47 Jul 24 '22 at 02:08
  • 5
    The key reason is, "**and paid for it**". Anyone who spent money has a vested interest in resolving the error quickly. Unpaid bogus account creation attempts are common and not at all the same thing. – user10216038 Jul 24 '22 at 02:51
  • 7
    @user10216038 Not if they spent _someone else's money_ using stolen/hacked credit-card details. – TripeHound Jul 24 '22 at 07:30
  • 3
    @user10216038 Thank you! I think it's unlikely that it's my account since it is setup in Mexican language (i am located in Switzerland) – Jan Jul 24 '22 at 16:46
  • 1
    @user10216038 I once had someone sign up to eBay with my e-mail address. They were apparently able to create a product listing, and start the auction, without eBay ever verifying the contact details they'd provided. I did the same as other people on this page: reset the password, cancelled the auction, and deleted the account. It's shocking that such major services have such broken sign-up flows, but it's true. When it happens, a lot of people simply don't notice - they can still log in, so nothing is obviously broken for them, until the real address owner takes over the account. – IMSoP Jul 25 '22 at 12:35
  • @IMSoP my dad had that as well (someone was using his email address for ebay for quite a while before he finally dealt with it) – Esther Jul 25 '22 at 14:37
6

This has happened to me as well.

You have two options: completely ignore the situation or take over the account (by using "Reset password").

In both cases there's no risk or anything. Your email alone is not enough to charge you.

Artem S. Tashkinov
  • 1,389
  • 5
  • 13
  • 7
    Taking over an account that does not belong to you can bring legal and criminal implications in some jurisdictions. Access is not consent. And since this appears to have been performed from the iCloud account (as per the vendor's description) this is more than just a "someone used the wrong email address when they signed up". There appears to be more going on. – schroeder Jul 24 '22 at 07:47
  • 7
    Impersonating a different person is a crime in itself. You're looking at the law from a skewed perspective. Taking over something which **rightfully belongs to you** is totally permitted by the law. Using someone else's email address is not permitted. – Artem S. Tashkinov Jul 24 '22 at 12:01
  • 9
    "Rightfully" is the whole matter in question. The Disney account does not belong to you just because someone used your email account when they signed up. The one who agreed to the ToS is the one who the account belongs to. Entering an email when signing up is not "using" someone's email address. Your perspective as a hint of "I can touch it, therefore it is mine" but laws and contracts don't back that up. – schroeder Jul 24 '22 at 13:15
  • 4
    @schroeder - has there ever been a case where someone supplied the wrong email address on an online service and the email owner reset their password and it ended up in court? – Martin Smith Jul 24 '22 at 14:05
  • 4
    @MartinSmith meaningless strawman is meaningless. The context here is "taking over the account" not merely clicking the password reset link. And "end up in court" is also not what I said. As an example, taking over an account is in direct contravention of the UK Computer Misuse Act. It counts as "unauthorised access" to that account. And since the person knows that it is not their account, the act of "taking it over" is done with the intent to prevent the authorised person from accessing the account, which adds more office according to the CMA. – schroeder Jul 24 '22 at 14:15
  • 1
    So, I'll repeat: Taking over an account that does not belong to you can bring legal and criminal implications in some jurisdictions. – schroeder Jul 24 '22 at 14:15
  • 2
    @schroeder - ah TBH I had assumed this answer was just recommending taking the account over in the same way as the other answer. To reset the password. If the suggestion is to take it over and then use it to watch the service then yes I agree with you. – Martin Smith Jul 24 '22 at 15:23
  • 1
    Thank you all! I am not planning to actively use the account but i did choose a new password for it. Unfortunately, Disney does not tell me which iCloud is bound to the account so i have no way to inform the person who pays for the account. – Jan Jul 24 '22 at 16:44
  • @schroeder It's not obvious at all that "merely clicking the password reset link" does not constitute taking over an account. Doubly so if there is indeed no precedent. – Fax Jul 25 '22 at 14:32
  • Unless you are the target of government lawyers looking to get you, the odds of you getting criminal charges are extremely rare. I have a common email address, so I have done the take over a few times, usually just to change the email. I still have one that I took over years ago. @schroeder do you any documented cases of this happening or this a theoretical concern? – Walter Jul 25 '22 at 17:52
  • 1
    @Walter "I've done it lots of times, and I haven't been caught, so it can't be that bad" is the worst kind of collection of logical fallacies. The fact that there are laws that protect against unauthorised access should not be a surprise at all to information security professionals. The USA has had all kinds of case law regarding CFAA, even when passwords and access was willingly granted. UK law is far more strict when it comes to unauthorised access. – schroeder Jul 25 '22 at 18:50
  • 2
    I don't quite understand why you're only talking about part of the issue. The most important here is impersonation which is a crime in itself. You have no legal right to sign up anywhere using someone else's email unless you have been give the right to do so which is definitely not the case here. – Artem S. Tashkinov Jul 25 '22 at 20:07
  • 3
    @ArtemS.Tashkinov a) There is no evidence there was an attempt at impersonation - it might just have been a typo; b) "two wrongs don't make a right" - just because the account owner has behaved badly doesn't mean the email owner can do what they like. – Martin Bonner supports Monica Jul 26 '22 at 16:36
  • 1
    @schroeder You still have not answered the question. Has the CFAA ever been used to prosecute anybody for case like this in the USA? Has it everyone been done in the UK? There is a common legal says that people break the law multiple times a day (when you take into account all of the laws with a broad interpretation). Can you document this happening anywhere other than in your imagination? – Walter Jul 27 '22 at 16:53
  • @Walter I do not need to prove prosecution. You are still shoving your irrelevant strawman into the picture. My statement is clear, true on its face, and requires no case law (even though there actually is). I'm done battling logical fallacies. – schroeder Jul 28 '22 at 09:53