Disneyland hack reveals dangers of social media account takeover

We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 — 28. Join AI and data leaders for insightful talks and exciting networking opportunities. Register today!

Yesterday, Disneyland Anaheim’s Instagram and Facebook accounts were hacked by a self-proclaimed “super hacker,” using the alias David Do, who proceeded to post racist and homophobic posts across the accounts. 

The attack appears to have been motivated by a negative experience with the brand, with the attacker stating he was “here to bring revenge upon Disney land [sic],” and tired of Disney employees “mocking” him. 

While Disneyland was quick to regain control of the account and removed the posts, the event has been a PR nightmare that’s left millions of visitors and families exposed to hateful and offensive content, particularly on Disneyland Anaheim’s Instagram, which has 8.4 million followers. 

For other organizations, the Disneyland breach highlights that while platforms like Facebook and Instagram can help reach a wider audience, they also open the door to social media account takeover, which an attacker can use to seriously damage your reputation.  

While it’s unclear how the hacker gained access to Disneyland’s social accounts, Aaron Turner, CTO of SaaS Protect at California-based AI cybersecurity provider, Vectra, believes that social media companies are to blame for offering organizations poor authentication mechanisms. 

“From an identity and access perspective, it has always disappointed me that the major social media and internet publishing will not allow for their biggest sponsors to utilize strong authentication and federated identities to protect their brands,” Turner said. 

One of the key problems with social media accounts, and the reason why accounts are vulnerable to account takeover attempts, is they rely on password-based authentication, which is susceptible to credential theft. 

According to the Verizon 2022 Data Breach Investigations Report, last year, 50% of breaches were caused by stolen credentials. 

“Because Instagram forced Disney to use a low-security authentication mechanism, essentially something that would not qualify as enterprise-grade authentication with appropriate logging, monitoring and anomaly detection, it created an opportunity for this online vandalism to take place,” Turner said. 

Turner highlights that social media account takeover is a very simple way for a threat actor to cause serious damage to an organization’s reputation. As a result, organizations need to be aware that using social media does present reputational risks that need to be managed. 

Why are credentials so easy to exploit? 

Although it wouldn’t be fair to speculate on how the attacker gained access to Disneyland’s accounts, it is true that credential theft plays a significant role in many social media account takeover attempts.

In fact, research shows that out of the 22% of U.S. adults that have been a victim of account takeovers, social media accounts made up 51% of that total. It also highlights that 60% of account takeover victims used the same password as the compromised account across multiple accounts. 

This is something that most organizations are well aware of, too, with 84% of IT leaders saying passwords are a deceptively weak way to secure data.

The reason why there’s so much credential theft is because it’s low risk and high reward. A hacker can obtain a victim’s email address and start trying to brute force a weak password, search for leaked credentials online, or target the victim with a phishing campaign to trick them into entering their login credentials on a spoofed website. 

Given that there are over 15 billion leaked credentials available online, cyber criminals don’t even need to have an technical expertise to break into an account; they can steal credentials that someone else has leaked online. 

Mitigating social media account takeover is challenging because passwords are innately vulnerable to theft through phishing scams, social engineering attempts and brute force hacks. 

At the same time, additional security measures offered by social media platforms, like multifactor authentication, are also easily exploitable with threat actors like Lapsus$ and Dark Halo both using techniques to sidestep the authentication mechanism in the past.  

Craig Lurey, CTO and cofounder of zero-trust security company, Keeper Security, recommends that organizations deploy a variety of controls to augment the security of their online accounts.  

“Password managers can easily protect social media accounts with strong, unique passwords and can also protect the second factor (TOTP code). Social media accounts can also be shared from vault-to-vault securely among a marketing or social media team with role-based access controls and audit trails,” Lurey said. 

These measures can help to reduce the likelihood of a breach, particularly if they’re combined with security awareness training to help educate employees on how to select strong passwords and detect phishing scams. 

However, as long as social media accounts rely on passwords, there will also be some risk of credential theft, until passwordless authentication options, like those promoted by the FIDO Alliance, achieve widespread adoption.

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn more about membership.