A hack of Disneyland’s social media in the early hours of July 7 appeared to be a vulgar prank and was quickly scrubbed from the internet, but the brazen account takeover demonstrated that even the world’s most prominent companies continue to have gaps in areas of cyber operations that are considered “less essential.”
The hacker referred to himself as “David Do” and attached what appeared to be selfies and an Instagram link, but it remains unclear if this was the actual perpetrator. The account takeover did not appear to be for the purposes of scamming funds or breaching the Disney network, with the hacker posting racist messages and strange jokes about inventing Covid-19 before Disney regained control. Disneyland’s Facebook and Instagram accounts were both breached, and the company took some of its social media presence offline for a short period as it recovered from the attack.
Compromise of multiple social media accounts highlights common vulnerabilities
The California park’s Facebook account has about 17 million followers, and the Instagram account has about 8.4 million. Disneyland’s social media is usually known for pictures of children and families enjoying the park.
The hacker left the handle for “chi11estpanda” on Instagram, which does belong to a Twitch video game streamer named David Do. The pictures also appear to be from Do’s various other social media accounts. However, Do told recent commenters on his YouTube videos that he was not behind the account takeovers and suggested the frame-up might have stemmed from some sort of personal beef with some “real hackers.” He also made his Instagram private after it was referenced on Disney social media. Do publicly runs a graphic design company in addition to his streaming under the same username, and it seems very unlikely he would attempt to advertise his business with a social media breakin containing racial epithets and disparaging remarks about himself.
Regardless of the identity of the perpetrator, these account takeovers highlight the fact that even the world’s biggest companies often do not (and in some cases cannot) secure these “lower priority” social media accounts. They are generally viewed as external marketing channels, often managed with some level of involvement of a third-party contractor, and are not seen as something that can cause core business disruption if they are breached.
To some degree that is true, at least as seen through the framework of protecting internal assets and cutting off channels of lateral movement. Breach of a social media account is almost certain to go nowhere, unless the credentials are re-used for more sensitive internal accounts. But these account takeovers can cause serious reputational damage, and are also of value to scammers looking to pass malware links or collect money from victims using the cachet of an established brand.
There are numerous examples of the latter phenomenon, one of the biggest being the 2020 breach of Twitter. That attack saw a band of teenage hackers socially engineer their way into admin-level access to the platform for a brief time, and one of their specific targets was celebrity accounts with which to pass a crypto scam. More recently, isolated companies and organizations have seen various social media accounts breached to promote similar scams: a bogus NFT offering from Ferrari, a Twitter account takeover of famous digital NFT artist Mike Winkelmann (Beeple) used to push an NFT scam and phishing links, and even a breach of various social media counts of the British Army (also used to push an NFT scam) have all taken place in recent months.
Account takeovers can have serious consequences; platforms sometimes offer only limited protections
A general lack of social media security that leads to account takeovers can occur for a number of reasons. Companies may turn over the keys to the accounts to third party management services to do their posting for them, and these services may lack in their security practices. The company itself may also be guilty of sharing social media passwords among multiple employees (something also known to happen with collaboration channels like Slack), posting them in public places and storing them in digital form for the sake of convenience. Or it might use a third-party tool for simultaneous posting across multiple social media platforms which suffers a breach, something that seems to be the likely culprit in the Disneyland account takeover case given the posts on both Facebook and Instagram within a small window of time.
However, it’s not always the company’s fault. Some social media platforms simply limit the degree to which they can be properly secured by users. For example, Instagram does not offer the tools that a company would usually have for monitoring and securing its internal network: they cannot log for or automatically detect anomalous behavior on that account. As Ian McShane, VP of Strategy for Arctic Wolf, notes: “While the reasons behind the compromise and messages are yet to be fully understood, the widespread shock from Disney’s 8.4 million followers should be a lesson to organizations of all sizes that, while social media accounts don’t contain their most crucial data, they can still be used to disrupt and harm a company’s operations. With that said, compromises of this nature are almost certainly rooted in a phishing or credential stuffing incident, something that could have been mitigated with MFA, which doesn’t appear to be enforced for verified Instagram accounts.”
Some platforms have even lagged in allowing for strong multi-factor authentication for logins, even as an optional setting. And, as Twitter demonstrated in 2020, if the platform itself is breached with a high enough level of access then all bets might be off no matter what the company is doing for security.
Organizations naturally want to prioritize the cybersecurity budget to focus on internal security. These incidents make clear that social media needs attention paid to it, however. Craig Lurey, CTO and Co-Founder at Keeper Security, offers some advice to teams that need to share social account access among multiple individuals: “This breach demonstrates the common attack vector of account takeover from a weak or re-used password. Password managers can easily protect social media accounts with strong, unique passwords and can also protect the second factor (TOTP code). Social media accounts can also be shared from vault-to-vault securely among a marketing or social media team with role-based access controls and audit trails.
Matt Chiodi, Chief Trust Officer of Cerby, adds: “Social media attacks happen because none of the platforms support common identity standards like single sign-on and systems for cross-domain identity management (or SCIM) for automatically adding and removing users. The lack of support for these standards is a glaring hole in the armor of many enterprises … I call them unmanageable because they all lack support for common identity standards that are an essential pillar in every enterprise security strategy. Zero Trust for these unmanageable applications? Forget about it. You can’t include them in the Zero Trust “protect” surface without some mechanism to tie them into your corporate identity … Until these problems are solved we should expect to see these types of social media attacks continue to expand and negatively impact brand trust.”