CPO Magazine - News, Insights and Resources for Data Protection, Privacy and Cyber Security Leaders
CPO Magazine - News, Insights and Resources for Data Protection, Privacy and Cyber Security Leaders
  • Home
  • News
  • Insights
  • Resources
Disney store window showing account takeover of social media
Cyber SecurityNews
·5 min read

Disneyland Account Takeover Highlights Lax Security for Social Media Accounts

Scott Ikeda·July 13, 2022
TwitterFacebookLinkedIn

A hack of Disneyland’s social media in the early hours of July 7 appeared to be a vulgar prank and was quickly scrubbed from the internet, but the brazen account takeover demonstrated that even the world’s most prominent companies continue to have gaps in areas of cyber operations that are considered “less essential.”

The hacker referred to himself as “David Do” and attached what appeared to be selfies and an Instagram link, but it remains unclear if this was the actual perpetrator. The account takeover did not appear to be for the purposes of scamming funds or breaching the Disney network, with the hacker posting racist messages and strange jokes about inventing Covid-19 before Disney regained control. Disneyland’s Facebook and Instagram accounts were both breached, and the company took some of its social media presence offline for a short period as it recovered from the attack.

Compromise of multiple social media accounts highlights common vulnerabilities

The California park’s Facebook account has about 17 million followers, and the Instagram account has about 8.4 million. Disneyland’s social media is usually known for pictures of children and families enjoying the park.

The hacker left the handle for “chi11estpanda” on Instagram, which does belong to a Twitch video game streamer named David Do. The pictures also appear to be from Do’s various other social media accounts. However, Do told recent commenters on his YouTube videos that he was not behind the account takeovers and suggested the frame-up might have stemmed from some sort of personal beef with some “real hackers.” He also made his Instagram private after it was referenced on Disney social media. Do publicly runs a graphic design company in addition to his streaming under the same username, and it seems very unlikely he would attempt to advertise his business with a social media breakin containing racial epithets and disparaging remarks about himself.

Regardless of the identity of the perpetrator, these account takeovers highlight the fact that even the world’s biggest companies often do not (and in some cases cannot) secure these “lower priority” social media accounts. They are generally viewed as external marketing channels, often managed with some level of involvement of a third-party contractor, and are not seen as something that can cause core business disruption if they are breached.

To some degree that is true, at least as seen through the framework of protecting internal assets and cutting off channels of lateral movement. Breach of a social media account is almost certain to go nowhere, unless the credentials are re-used for more sensitive internal accounts. But these account takeovers can cause serious reputational damage, and are also of value to scammers looking to pass malware links or collect money from victims using the cachet of an established brand.

There are numerous examples of the latter phenomenon, one of the biggest being the 2020 breach of Twitter. That attack saw a band of teenage hackers socially engineer their way into admin-level access to the platform for a brief time, and one of their specific targets was celebrity accounts with which to pass a crypto scam. More recently, isolated companies and organizations have seen various social media accounts breached to promote similar scams: a bogus NFT offering from Ferrari, a Twitter account takeover of famous digital NFT artist Mike Winkelmann (Beeple) used to push an NFT scam and phishing links, and even a breach of various social media counts of the British Army (also used to push an NFT scam) have all taken place in recent months.

Account takeovers can have serious consequences; platforms sometimes offer only limited protections

A general lack of social media security that leads to account takeovers can occur for a number of reasons. Companies may turn over the keys to the accounts to third party management services to do their posting for them, and these services may lack in their security practices. The company itself may also be guilty of sharing social media passwords among multiple employees (something also known to happen with collaboration channels like Slack), posting them in public places and storing them in digital form for the sake of convenience. Or it might use a third-party tool for simultaneous posting across multiple social media platforms which suffers a breach, something that seems to be the likely culprit in the Disneyland account takeover case given the posts on both Facebook and Instagram within a small window of time.

However, it’s not always the company’s fault. Some social media platforms simply limit the degree to which they can be properly secured by users. For example, Instagram does not offer the tools that a company would usually have for monitoring and securing its internal network: they cannot log for or automatically detect anomalous behavior on that account. As Ian McShane, VP of Strategy for Arctic Wolf, notes: “While the reasons behind the compromise and messages are yet to be fully understood, the widespread shock from Disney’s 8.4 million followers should be a lesson to organizations of all sizes that, while social media accounts don’t contain their most crucial data, they can still be used to disrupt and harm a company’s operations. With that said, compromises of this nature are almost certainly rooted in a phishing or credential stuffing incident, something that could have been mitigated with MFA, which doesn’t appear to be enforced for verified Instagram accounts.”

Some platforms have even lagged in allowing for strong multi-factor authentication for logins, even as an optional setting. And, as Twitter demonstrated in 2020, if the platform itself is breached with a high enough level of access then all bets might be off no matter what the company is doing for security.

Organizations naturally want to prioritize the cybersecurity budget to focus on internal security. These incidents make clear that social media needs attention paid to it, however. Craig Lurey, CTO and Co-Founder at Keeper Security, offers some advice to teams that need to share social account access among multiple individuals: “This breach demonstrates the common attack vector of account takeover from a weak or re-used password. Password managers can easily protect social media accounts with strong, unique passwords and can also protect the second factor (TOTP code). Social media accounts can also be shared from vault-to-vault securely among a marketing or social media team with role-based access controls and audit trails.

An #accounttakeover hit Disneyland's Facebook and Instagram, and the company took some of its #socialmedia presence offline for a short period as it recovered. #cybersecurity #respectdataClick to Tweet

Matt Chiodi, Chief Trust Officer of Cerby, adds: “Social media attacks happen because none of the platforms support common identity standards like single sign-on and systems for cross-domain identity management (or SCIM) for automatically adding and removing users. The lack of support for these standards is a glaring hole in the armor of many enterprises … I call them unmanageable because they all lack support for common identity standards that are an essential pillar in every enterprise security strategy. Zero Trust for these unmanageable applications? Forget about it. You can’t include them in the Zero Trust “protect” surface without some mechanism to tie them into your corporate identity … Until these problems are solved we should expect to see these types of social media attacks continue to expand and negatively impact brand trust.”

 

TwitterFacebookLinkedIn
Tags
Account TakeoverDisneySocial Media
Scott Ikeda
Senior Correspondent at CPO Magazine
Scott Ikeda is a technology futurist and writer for more than 15 years. He travels extensively throughout Asia and writes about the impact of technology on the communities he visits. Over the last 5 years, Scott has grown increasingly focused on the future landscape of big data, surveillance, cybersecurity and the right to privacy.
Related
Army of bots showing eCommerce retailers and account takeover, DDoS and API attacks
Cyber SecurityNews

62% of Security Incidents on eCommerce Retailers Originate from Bots, Including Account Takeover, DDoS and API Attacks

November 11, 2022
Close up of young man hand using smart phone at night showing social engineering on social media
Cyber SecurityInsights

Why Social Media Is a Weak Spot for Companies’ Cybersecurity

September 26, 2022
Group of friends together on the beach having fun showing dangers of social media and safeguarding of digital footprint
Data PrivacyInsights

WAIT, Don’t Post That: How to Safeguard Yourself Against the Dangers of Posting on Social Media

September 19, 2022
Logo of TikTok in the reflection of a broken mirror showing TikTok hack and account takeover
Cyber SecurityNews

“One-Click” TikTok Hack Discovered That Put 2 Billion App Users at Risk, but No Reports Yet of Account Takeover in the Wild

September 8, 2022
Iran flag on a black keyboard showing spear phishing for account takeover
Cyber SecurityNews

Iranian Spear Phishing Operation Targeting US and Israeli Government Figures, Email Account Takeovers Lead to Impersonation Campaigns

June 23, 2022
Bunch of rough shape keys showing user credentials sold on dark web
Cyber SecurityNews

Over 24 Billion Compromised User Credentials Circulating on the Dark Web Market

June 22, 2022
Boy and father playing games showing account takeover via phishing and social engineering
Cyber SecurityNews

EA Confirms Account Takeover Attacks Compromising High-Profile Gamers via Phishing and Social Engineering Attacks

January 20, 2022
Man holding a smartphone with social media on screen
Cyber SecurityInsights

Social Media Statistics Are for Marketing Purposes

February 16, 2021

Latest

Stack of 100 US dollars showing White House budget for cybersecurity spending

White House Budget for 2024 Cybersecurity Spending: More Funding for CISA, Modernization of Online Government Services

Hand in a glove on a laptop keyboard and a medical stethoscope showing healthcare provider data breach

Massive Data Breach at Healthcare Provider ILS Compromises Millions of Patients

Man using laptop with ChatGPT showing AI and cyber threats

Can Security Keep Up With ChatGPT Evolutions?

Entrance to the FBI building showing cyber crime report

FBI Annual Internet Crime Report Finds Hot New Trend in Online Scams: “Pig Butchering”

- Advertisement -

Learn More

About
Contact
Our Advertising
Privacy Policy
Cookie Policy
Terms of Use

Stay Updated

CPO Magazine

News, insights and resources for data protection, privacy and cyber security professionals.

Learn More

About
Contact
Our Advertising
Privacy Policy
Cookie Policy
Terms of Use
Do Not Sell My Data

Categories

Data Privacy
Data Protection
Cyber Security
Tech
Insights
News
Resources

Stay Updated

© 2023 Rezonen Pte. Ltd.
CPO Magazine - News, Insights and Resources for Data Privacy, Protection and Cybersecurity Leaders
  • Home
  • News
  • Insights
  • Resources
    Start typing to see results or hit ESC to close
    U.S. Data Breach Regulations EU GDPR Facebook
    See all results