With more than 10 million people having registered for Disney+ access as of launch day alone, it’s no surprise that some of those accounts ended up on the dark web, where hackers sell them to anyone looking to pay for access to Disney’s brand new streaming service. The phenomenon isn’t new, as stolen Netflix credentials and other logins have been sold online the same way for years. But if you’ve just discovered that someone hacked your account, it’s very likely that it’s your own fault.

Disney has finally broken its silence on recent reports that hacked account credentials are already being sold online, explaining to the BBC that its service wasn’t hacked. “Disney takes the privacy and security of our users’ data very seriously, and there is no indication of a security breach on Disney+,” a spokesman said.

There are several ways for hackers to breach Disney+ accounts. The simplest one is facilitated by a very annoying habit, which is reusing username and password combinations. That’s something plenty of people do, and when one of their online accounts is hacked the chances are that hackers would retest the same user and password combination on other sites, Disney+ included.

Another way to have your credentials stolen, even accounts that feature unique passwords and email addresses, is having malware installed on your computer, the kind of program that can spy on everything you type, usernames Hand passwords included. However, Disney isn’t to blame for the hack, as there’s no evidence to support the idea.

Even if the hacks were facilitated by poor online security practices, Disney can improve Disney+ account protection with two-factor authentication, as well as a way to log everyone out who has access to your account.

Some people also worry that people accessing their accounts without authorization could get into other Disney properties that can be accessed with the same password, including the Disney store and park sites.