In an account takeover incident that was reminiscent of the site defacements that were common in the 1990s and early 00s (before hacking became a multibillion dollar industry for criminals), social media accounts belonging to Disneyland were compromised by an unknown party and used to post crude and offensive messages for a short period before the company was able to recover.
The company lost access to its Instagram and Facebook social media accounts for a brief period the morning of July 7, 2022. It remains unclear who the hacker was; they credited a video game streamer and graphic designer named David Do, but Do has said that he was framed and that the incident may have stemmed from some sort of bad blood with an unspecified party.
Disneyland account takeover subjected followers to racist and graphic messages
The comparison to “old school hacking” does not suggest that the account takeover was innocent; to the contrary, it was extremely offensive. But the attacker also made clear from the beginning that there was some sort of breach, not attempting to use the access to tens of millions of Disneyland followers to run a scam, pass malware or even make a serious attempt at reputational damage to the company.
It resembled the sort of prank a disturbed teenager might play. And this would not be the first time that teenagers breached high-profile social media accounts, with a group of teens having accessed the highest levels of Twitter administration in 2020. It would make sense for a less experienced attacker to focus on a company’s social media accounts, as the platforms are often not designed to allow for cybersecurity tools and protections to be brought to bear on them.
In addition to not integrating with most of an organization’s security tools, social media accounts sometimes do not even offer native features considered to be basic best practices for cyber defenses. For example, Instagram does not require high-profile verified accounts to implement multi-factor authentication. Third-party tools used to post simultaneously on multiple platforms can be even worse in terms of security, facilitating multiple account takeovers from a central source.
Limits to social media account security require special attention
Disneyland was able to recover from the account takeover in short order, and should count itself lucky that the perpetrators were not an organized criminal group looking to attack its customers. Social media is not generally high on the priority list for IT security teams, but this incident demonstrates what can potentially happen if these accounts are left vulnerable.
In Disneyland’s case, this meant 8.4 million Instagram followers and 17 million followers on Facebook. The company may have ended up assuming some responsibility if those followers had been directed to malware or had their money taken from them via a scam. A more targeted approach might have also badly hurt the company’s reputation. While lateral movement from a social media account takeover incident is very unlikely (unless login credentials are re-used), companies could nevertheless face severe financial and brand damage when they lose control of these accounts.