At the moment, two-factor authentication codes are the only thing keeping Disney Vacation Club member accounts secure.
On November 16, Disney Vacation Club introduced two-factor authentication to logins to the member website. This process involves sending a 6-digit code to the member's cell phone or email in order to complete the login. This unique code--which expires after several minutes--is intended to be combined with the user's password to process the login. The password and the time-sensitive code represent two pieces of information required in order to access the user's account.
It appears that site enhancement may have introduced a bug which is currently invalidating the password portion of the login. Members can currently enter their DVC username and any random series of characters in the password field. Even if the password entry does not match what the member has on file, the two-factor authentication code will still be sent. Upon verification of that code, the login will be successfully processed without ever checking the password.
Members' accounts should remain secure, as long as their email inbox and cell phone are protected. The login will not complete successfully unless that 6-digit code is entered. The code can only be distributed using the email address or cell phone number on file.
Additionally, most features supported by the website are of little use to a non-member. The site allows owners to add, modify and cancel reservations. All of this activity is plainly evident and subject to further modification until a stay occurs. Members can also perform administrative functions like banking points and paying annual dues. Points cannot be permanently transferred out of a user's account via the website.
This bug does not appear to be impacting other Disney websites like MyDisneyExperience.com.
We have reached out to Disney Vacation Club for comment and will update this story if a response is received.