Fake Disney+ 'Sign in with Disney' OAuth Phishing Scam
Phishing pages mimic Disney+'s sign-in experience to harvest Disney account credentials that also unlock Disney Parks reservations, ShopDisney purchases, and linked payment methods stored in the Disney ecosystem.
Part of: Social Login & OAuth Phishing
Last reviewed: 8 June 2026
A single Disney account can link a subscriber to Disney+, Disney Parks ticket reservations, Annual Pass management, ShopDisney, and in some markets ESPN+. This broad ecosystem means that compromising one set of Disney credentials can affect far more than a streaming subscription.
Scammers build phishing pages that replicate the Disney sign-in flow (disneyaccount.disney.com) pixel-for-pixel. They distribute links via phishing emails, fake Disney fan sites, and spoofed Disney promotional offers. Users expecting to sign in to watch content or manage a park reservation are the primary targets.
Because many Disney+ subscribers are parents managing family accounts, there is also risk that children's associated Disney accounts and linked payment methods are exposed.
How this scam works on the Disney+ brand
A Disney+ subscriber clicks a link in an email claiming to offer a free month of Disney+ in celebration of an anniversary or new release. The email mimics Disney's visual design and the link goes to a page at disney-plus-offer.net that displays the Disney+ sign-in form.
After entering their email and password, the victim is shown a congratulatory screen with a fake confirmation code. Meanwhile, the attacker uses the credentials to log in to the real Disney account, change the email address or password, and gain access to linked payment methods.
In a theme parks variant, an email claims a Disney Parks reservation requires re-confirmation and links to a fake My Disney Experience sign-in page where family member details, linked card numbers, and trip itineraries are harvested.
Common red flags
- Genuine Disney sign-in pages are always at disneyaccount.disney.com or id.disney.com — no other domain is the real Disney login.
- Promotional offers from Disney arrive from @disney.com or @disneyplus.com — verify the full sender domain.
- Unexpected discounts or free months offered in unsolicited emails are common phishing lures.
- After sign-in, you are asked for a 'confirmation code' that references your Parks reservation or Annual Pass — this framing is used to seem relevant while harvesting further data.
- The URL shown in the browser address bar contains words like 'disney-offer,' 'disneyplus-promo,' or similar rather than disney.com.
- Any link that triggers a sign-in request to a Disney account should be accessed by navigating to disneyplus.com directly instead.
How to protect yourself
- Always navigate to disneyplus.com or disneyaccount.disney.com directly rather than clicking links in emails.
- Use a strong, unique password for your Disney account, given the breadth of services it links.
- Enable two-step login verification in your Disney account settings at disneyaccount.disney.com.
- If you entered credentials on a suspicious page, change your Disney account password immediately and review linked payment methods.
- Check your Disney account for any modified booking details or unfamiliar park reservations.
How to report it
- Report the phishing email or website to Disney+ at disneyplus.com/help.
- Report the website to Google Safe Browsing at safebrowsing.google.com/safebrowsing/report_phish/.
- Report to the FTC at ReportFraud.ftc.gov.
- UK users: report to Action Fraud at actionfraud.police.uk.
Frequently asked questions
Why is my Disney account linked to so many different Disney services?
Disney uses a single account system that spans Disney+, Disney Parks (via the My Disney Experience app), ShopDisney, and ESPN+. This convenience also means that a compromised password exposes all these services simultaneously.
How do I enable two-step verification on my Disney account?
Sign in at disneyaccount.disney.com, go to Security Settings, and enable two-step verification. You will receive a code by email or authenticator app each time you sign in from a new device.
I noticed a Disney Parks reservation I did not make — what should I do?
Sign in to My Disney Experience at disneyworld.disney.go.com and cancel any unrecognised reservations. Then change your Disney account password immediately and contact Disney Guest Services to flag the compromise.