Fake Disney+ OAuth Login Phishing via Social Sign-In
Scammers create fake Disney+ login prompts that mimic OAuth social-sign-in flows, tricking users into granting access to their Google or Apple account via a fraudulent authorisation page.
Part of: Social Login & OAuth Phishing
Last reviewed: 7 June 2026
Disney+ allows subscribers to sign in using their Google or Apple account credentials through a standard OAuth flow. This convenience feature has been weaponised by phishers who replicate the OAuth-style pop-up login experience to make credential theft feel like a routine, trusted action.
Because OAuth pop-ups are familiar and feel secure — users associate the Google or Apple branding in the pop-up with genuine security — people may be less vigilant than they would be entering a password directly into an unfamiliar form. The fake OAuth prompt provides a veneer of legitimacy that can deceive even technically knowledgeable users.
A compromised Google or Apple account obtained through this vector gives attackers far more than Disney+ access — it potentially unlocks a wide range of services linked to that account.
How this scam works on the Disney+ brand
Legitimate OAuth flows from Disney+ launch a genuine Google or Apple sign-in pop-up that appears at accounts.google.com or appleid.apple.com — the URL bar in the pop-up window shows the real provider's domain. Completing this flow on the real provider's site is safe because Disney+ never sees your Google or Apple password — only a secure token is exchanged.
Fake OAuth pages open a pop-up that mimics the design of the Google or Apple sign-in interface, but the URL bar shows a third-party domain. Some sophisticated versions use iframe embedding or URI tricks to appear to show the correct domain while actually capturing credentials at an attacker-controlled site.
The attack path often begins with a fake Disney+ offer page — a promotion or gift card — that says 'Sign in with Google to claim your offer'. The familiar Google sign-in pop-up appears and the user completes what seems like a normal authentication, not realising the 'Google' page is a replica.
Common red flags
- The URL in the pop-up sign-in window is not accounts.google.com or appleid.apple.com
- You are asked to sign in via Google or Apple to claim a Disney+ promotion or gift card from a non-Disney+ site
- The site shows an OAuth pop-up but then also asks for your password directly on the page
- The Google or Apple sign-in pop-up asks for more permissions than streaming access requires (such as access to contacts or Drive)
- The promotion or offer seems unusually generous — a free year of Disney+ or a gift card from an unfamiliar site
- The page URL is not disneyplus.com, though it displays Disney+ branding prominently
How to protect yourself
- Before completing an OAuth flow, check the URL in the pop-up window — it must be the real provider's domain (accounts.google.com or appleid.apple.com)
- Review apps connected to your Google account at myaccount.google.com/permissions and revoke any you do not recognise
- Review apps connected to your Apple ID at appleid.apple.com under 'Sign in with Apple'
- Be especially cautious about OAuth prompts on third-party promotion sites not hosted on disneyplus.com
- Enable two-factor authentication on both your Google/Apple account and your Disney+ account
How to report it
- Revoke any suspicious OAuth permissions immediately through your Google or Apple account settings
- Report the phishing site to Google Safe Browsing at safebrowsing.google.com/safebrowsing/report_phish
- Contact Disney+ support at help.disneyplus.com if your account was accessed without authorisation
- Report to the FTC at reportfraud.ftc.gov (US) or Action Fraud actionfraud.police.uk (UK)
Frequently asked questions
Is it safe to use 'Sign in with Google' for Disney+?
Yes — when you use the official Disney+ app or disneyplus.com and the OAuth pop-up opens at accounts.google.com. The danger is when a fake page mimics this pop-up. Always check the URL in the OAuth window before entering your Google credentials.
What can an attacker do with an OAuth token?
An OAuth token grants access to your Disney+ account without ever needing your Google password. However, the more serious risk is that the fake page is actually harvesting your Google credentials directly — giving the attacker full Google account access rather than just a Disney+ session token.
How do I check which apps have access to my Google account?
Go to myaccount.google.com/permissions to see all apps and services that have been granted access. If you see Disney+ or any other service you do not recognise, click on it and select 'Remove Access'.