CPO Magazine - News, Insights and Resources for Data Protection, Privacy and Cyber Security Leaders
CPO Magazine - News, Insights and Resources for Data Protection, Privacy and Cyber Security Leaders
  • Home
  • News
  • Insights
  • Resources
Disney store window showing account takeover of social media
Cyber SecurityNews
·5 min read

Disneyland Account Takeover Highlights Lax Security for Social Media Accounts

Scott Ikeda·July 13, 2022

A hack of Disneyland’s social media in the early hours of July 7 appeared to be a vulgar prank and was quickly scrubbed from the internet, but the brazen account takeover demonstrated that even the world’s most prominent companies continue to have gaps in areas of cyber operations that are considered “less essential.”

The hacker referred to himself as “David Do” and attached what appeared to be selfies and an Instagram link, but it remains unclear if this was the actual perpetrator. The account takeover did not appear to be for the purposes of scamming funds or breaching the Disney network, with the hacker posting racist messages and strange jokes about inventing Covid-19 before Disney regained control. Disneyland’s Facebook and Instagram accounts were both breached, and the company took some of its social media presence offline for a short period as it recovered from the attack.

Compromise of multiple social media accounts highlights common vulnerabilities

The California park’s Facebook account has about 17 million followers, and the Instagram account has about 8.4 million. Disneyland’s social media is usually known for pictures of children and families enjoying the park.

The hacker left the handle for “chi11estpanda” on Instagram, which does belong to a Twitch video game streamer named David Do. The pictures also appear to be from Do’s various other social media accounts. However, Do told recent commenters on his YouTube videos that he was not behind the account takeovers and suggested the frame-up might have stemmed from some sort of personal beef with some “real hackers.” He also made his Instagram private after it was referenced on Disney social media. Do publicly runs a graphic design company in addition to his streaming under the same username, and it seems very unlikely he would attempt to advertise his business with a social media breakin containing racial epithets and disparaging remarks about himself.

Regardless of the identity of the perpetrator, these account takeovers highlight the fact that even the world’s biggest companies often do not (and in some cases cannot) secure these “lower priority” social media accounts. They are generally viewed as external marketing channels, often managed with some level of involvement of a third-party contractor, and are not seen as something that can cause core business disruption if they are breached.

To some degree that is true, at least as seen through the framework of protecting internal assets and cutting off channels of lateral movement. Breach of a social media account is almost certain to go nowhere, unless the credentials are re-used for more sensitive internal accounts. But these account takeovers can cause serious reputational damage, and are also of value to scammers looking to pass malware links or collect money from victims using the cachet of an established brand.

There are numerous examples of the latter phenomenon, one of the biggest being the 2020 breach of Twitter. That attack saw a band of teenage hackers socially engineer their way into admin-level access to the platform for a brief time, and one of their specific targets was celebrity accounts with which to pass a crypto scam. More recently, isolated companies and organizations have seen various social media accounts breached to promote similar scams: a bogus NFT offering from Ferrari, a Twitter account takeover of famous digital NFT artist Mike Winkelmann (Beeple) used to push an NFT scam and phishing links, and even a breach of various social media counts of the British Army (also used to push an NFT scam) have all taken place in recent months.

Account takeovers can have serious consequences; platforms sometimes offer only limited protections

A general lack of social media security that leads to account takeovers can occur for a number of reasons. Companies may turn over the keys to the accounts to third party management services to do their posting for them, and these services may lack in their security practices. The company itself may also be guilty of sharing social media passwords among multiple employees (something also known to happen with collaboration channels like Slack), posting them in public places and storing them in digital form for the sake of convenience. Or it might use a third-party tool for simultaneous posting across multiple social media platforms which suffers a breach, something that seems to be the likely culprit in the Disneyland account takeover case given the posts on both Facebook and Instagram within a small window of time.

However, it’s not always the company’s fault. Some social media platforms simply limit the degree to which they can be properly secured by users. For example, Instagram does not offer the tools that a company would usually have for monitoring and securing its internal network: they cannot log for or automatically detect anomalous behavior on that account. As Ian McShane, VP of Strategy for Arctic Wolf, notes: “While the reasons behind the compromise and messages are yet to be fully understood, the widespread shock from Disney’s 8.4 million followers should be a lesson to organizations of all sizes that, while social media accounts don’t contain their most crucial data, they can still be used to disrupt and harm a company’s operations. With that said, compromises of this nature are almost certainly rooted in a phishing or credential stuffing incident, something that could have been mitigated with MFA, which doesn’t appear to be enforced for verified Instagram accounts.”

Some platforms have even lagged in allowing for strong multi-factor authentication for logins, even as an optional setting. And, as Twitter demonstrated in 2020, if the platform itself is breached with a high enough level of access then all bets might be off no matter what the company is doing for security.

Organizations naturally want to prioritize the cybersecurity budget to focus on internal security. These incidents make clear that social media needs attention paid to it, however. Craig Lurey, CTO and Co-Founder at Keeper Security, offers some advice to teams that need to share social account access among multiple individuals: “This breach demonstrates the common attack vector of account takeover from a weak or re-used password. Password managers can easily protect social media accounts with strong, unique passwords and can also protect the second factor (TOTP code). Social media accounts can also be shared from vault-to-vault securely among a marketing or social media team with role-based access controls and audit trails.

Matt Chiodi, Chief Trust Officer of Cerby, adds: “Social media attacks happen because none of the platforms support common identity standards like single sign-on and systems for cross-domain identity management (or SCIM) for automatically adding and removing users. The lack of support for these standards is a glaring hole in the armor of many enterprises … I call them unmanageable because they all lack support for common identity standards that are an essential pillar in every enterprise security strategy. Zero Trust for these unmanageable applications? Forget about it. You can’t include them in the Zero Trust “protect” surface without some mechanism to tie them into your corporate identity … Until these problems are solved we should expect to see these types of social media attacks continue to expand and negatively impact brand trust.”

 

Tags
Account TakeoverDisneySocial Media
Scott Ikeda
Senior Correspondent at CPO Magazine
Scott Ikeda is a technology futurist and writer for more than 15 years. He travels extensively throughout Asia and writes about the impact of technology on the communities he visits. Over the last 5 years, Scott has grown increasingly focused on the future landscape of big data, surveillance, cybersecurity and the right to privacy.
Related
Red open padlock showing Disney data breach
Cyber SecurityNews

July’s Disney Data Breach Included Financial and Strategy Secrets, Cruise Passenger and Staff PII

September 12, 2024
Boy plays games on a smartphone at night showing age verification law and social media
Data PrivacyInsights

The Age Verification Law That Could Change Social Media in the US

July 10, 2023
Backlit hand using tablet with abstract glowing digital skull showing bad bots and account takeover and API attacks
Cyber SecurityNews

Bad Bots Account For 30% Of Internet Traffic and Are More Frequent in Account Takeover and API Attacks

May 30, 2023
Facebook screen in the hands of a woman showing account takeover of Facebook profiles
Cyber SecurityNews

An Effective Account Takeover Trick Is Helping Scammers Steal Thousands of Facebook Profiles

May 3, 2023
Army of bots showing eCommerce retailers and account takeover, DDoS and API attacks
Cyber SecurityNews

62% of Security Incidents on eCommerce Retailers Originate from Bots, Including Account Takeover, DDoS and API Attacks

November 11, 2022
Close up of young man hand using smart phone at night showing social engineering on social media
Cyber SecurityInsights

Why Social Media Is a Weak Spot for Companies’ Cybersecurity

September 26, 2022
Group of friends together on the beach having fun showing dangers of social media and safeguarding of digital footprint
Data PrivacyInsights

WAIT, Don’t Post That: How to Safeguard Yourself Against the Dangers of Posting on Social Media

September 19, 2022
Logo of TikTok in the reflection of a broken mirror showing TikTok hack and account takeover
Cyber SecurityNews

“One-Click” TikTok Hack Discovered That Put 2 Billion App Users at Risk, but No Reports Yet of Account Takeover in the Wild

September 8, 2022

Latest

Keyboard with dollar bill showing ransom payment and cyber extortion

PowerSchool Confirms Ongoing Cyber Extortion of Individual Schools Despite Ransom Payment

Keyboard with red backlight showing LockBit ransomware data breach

LockBit Ransomware Suffers Its Own Data Breach, Internal Conversations With Victims Leaked

Mobile phone and lock icons showing messaging app security breach

High Security Messaging App Tool Used by US Government Suspends Service After Security Breach

TikTok logo on smartphone showing data transfers of EU data

TikTok to Receive €530 Million Fine Over EU Data Storage, Data Transfers to China

Learn More

About
Contact
Our Advertising
Privacy Policy
Cookie Policy
Terms of Use

CPO Magazine

News, insights and resources for data protection, privacy and cyber security professionals.

Learn More

About
Contact
Our Advertising
Privacy Policy
Cookie Policy
Terms of Use

Categories

Data Privacy
Data Protection
Cyber Security
Tech
Insights
News
Resources
Press Releases

© 2024 Rezonen Pte. Ltd.
CPO Magazine - News, Insights and Resources for Data Privacy, Protection and Cybersecurity Leaders
  • Home
  • News
  • Insights
  • Resources
    Start typing to see results or hit ESC to close
    Data Breach U.S. Regulations Cyber Attack EU GDPR
    See all results