Disney+ Hotstar is Forced Migration to SMS-Based OTP Login Leaves Some Users in the Lurch

  • Disney+ Hotstar users are having trouble logging in with forced migration from email login to SMS-based OTP only. In late February, Disney+ Hotstar — then just Hotstar — began moving its existing subscribers from email addresses to phone numbers to log in. The streaming service reportedly took this step to tighten security, as future login attempts would require a one-time password (OTP) sent to the mobile in question. This takes Disney+ Hotstar a step ahead of Netflix, which doesn’t offer any two-factor authentication method as yet. And then, in a further push in April, Disney+ Hotstar disabled the option to sign up with an email address or log in with an email address if a phone number was also registered to your account. Unfortunately, this has resulted in a series of avoidable consequences.

  • Some Disney+ Hotstar subscribers are reporting that they can’t log into the service because the accounts are associated with phone numbers unknown to them. Gadgets 360 has learned that this is because their Disney+ Hotstar account credentials have been compromised via emailed phishing schemes, fake websites, modded APKs, or password reuse. The last of those happens when you use the same password across websites. These credentials have since been circulating on publicly accessible websites and the dark web. This was a secondary reason cited internally to transition to SMS-based OTP logins.
  • Now, you can change the phone number associated with your Disney+ Hotstar account. Unfortunately, you’ll have to deal with Disney+ Hotstar’s customer support team on Twitter to do this. Subscribers can’t change the number on their own, though Disney+ Hotstar hopes to work on this feature “soon”. To get the number changed, you’ll need to present your purchase invoice of Disney+ Hotstar, be it the Google Play or iTunes receipt, or a statement from your bank. Users aren’t too pleased about this, as you’d think, but customers can redact everything on bank statements, minus the name, phone number, and the Disney+ Hotstar transaction.
  • It’s not clear why Disney+ Hotstar didn’t just allow subscribers to receive OTPs on their existing email address, as some have demanded. Moreover, the service transitioned users away from a working login method without informing them either by email or by sending a notification.
  • If it’s user security that Disney+ Hotstar is truly worried about her, then you’d think it would consider moving to an app-based two-factor authentication (2FA) system, as is offered by Amazon Prime Video. Experts have shown that SMS-based OTPs are vulnerable. This could occur via fraudulent apps installed on the user device, or on the network end since text messages aren’t encrypted by default and are stored in plain text en route. The least it could’ve done was offer OTPs on email, which is arguably safer than SMS, and it’s annoying that Disney+ Hotstar can’t — or rather, won’t.

Leave a Comment

Your email address will not be published.