Fake Disney+ Password-Reset Phishing
Phishing emails styled as Disney+ password-reset confirmations direct subscribers to a fake sign-in page that captures their Disney+ and linked email credentials.
Part of: Fake Password Reset Scams
Last reviewed: 7 June 2026
Disney+ uses a password-reset email flow that is familiar to subscribers. Scammers replicate this flow to send fake reset notifications to Disney+ users, creating a scenario where the recipient believes they must act to prevent an unauthorised password change from succeeding.
The emotional hook is the implication of a security incident: someone may be trying to take over the account. The fake email offers a way to 'block' this imaginary attack — but the 'block' mechanism is itself the credential-harvesting page.
Disney+ subscriber email addresses are widely available through previous data breaches affecting other services, so attackers can send targeted phishing emails to confirmed Disney+ users without needing to breach Disney+ itself.
How this scam works on the Disney+ brand
Disney+ sends password-reset confirmation emails from @email.disneyplus.com when a reset is genuinely requested. The email contains a reset link valid for a limited time and notes that no action is required if the recipient did not request a reset.
Fake reset emails deviate from this safe pattern by adding an 'If this was not you, click here to secure your account' call-to-action. This link points to a phishing domain, not to disneyplus.com. The fake page asks for the account email and password to 'verify identity' before 'cancelling the reset request'.
Some campaigns deliver the fake reset email shortly after a real login to the victim's account to seem contextually plausible. The timing makes the email feel directly related to a known legitimate activity.
Common red flags
- Sender is not from @email.disneyplus.com or @disneyplus.com
- The email includes a 'secure your account' link rather than just a note to ignore it
- The secure-account link does not lead to disneyplus.com
- You did not request a password reset
- The page asks for your password to 'cancel' or 'block' a reset — Disney+ does not work this way
- Urgent language claims the reset will complete in minutes unless you act
How to protect yourself
- Treat any unexpected password-reset email by going directly to disneyplus.com to check your account — do not click the email link
- If the reset was genuine and you did not request it, change your Disney+ password immediately via disneyplus.com
- Enable two-step verification in your Disney+ account settings if available
- Use a password manager so your Disney+ password is unique and not used on other services
- Check that your Disney+ account email address has not been changed in account settings
How to report it
- Report the phishing email to help.disneyplus.com
- Forward to [email protected]
- Report to the FTC at reportfraud.ftc.gov (US) or Action Fraud actionfraud.police.uk (UK)
- Submit the phishing URL to Google Safe Browsing at safebrowsing.google.com/safebrowsing/report_phish
Frequently asked questions
What should I do if I receive a Disney+ password-reset email I did not request?
If you did not request a reset, go directly to disneyplus.com and change your password as a precaution. This prevents any reset link from being usable. Do not click the link in the email — navigate to disneyplus.com directly.
Can scammers complete a Disney+ password reset without access to my email?
Not through the official reset process. A genuine Disney+ password reset requires access to the registered email inbox. This is why securing your email account is as important as securing Disney+ itself — if your email is compromised, the streaming account can also be reset.
How do I tell a genuine Disney+ email from a fake one?
Check the sender's full email address — genuine Disney+ emails come from @email.disneyplus.com or @disneyplus.com. Real reset emails say to ignore the email if you did not initiate a reset — they do not include a 'secure your account' link that requires signing in.