Disneyland Instagram, Facebook Accounts Defaced
Late last week, Disneyland found itself the victim of a self-styled “super hacker.” The attacker took over and defaced Facebook and Instagram accounts belonging to the ‘happiest place on earth.’”
One thing’s for certain—no one was happy when racist messages appeared on the popular theme park’s social media accounts in what Vulcan Cyber Senior Technical Engineer Mike Parkin said “feels like a throwback to the old days of defacing websites.”
Apparently, both Disneyland’s Facebook and Instagram accounts were hacked. The super hacker, who claimed to be David Do, started posting in the wee hours of the morning on July 7, 2022, claiming to be a “super hacker that is here to bring revenge upon Disneyland” after he alleged park employees mocked him.
“Who’s the tough guy now Jerome?” [sic] the hacker asked, before unleashing a barrage of messages peppered with racial and homophobic slurs. He also made a number of fantastical claims, including that he created SARS-COV-2, the virus that caused the COVID-19 pandemic, and was working on another form of the virus that he dubbed COVID-20.
Disneyland issued a statement confirming that the accounts “were compromised” and that the theme park had “worked quickly to remove the reprehensible content, secure our accounts, and our security teams are conducting an investigation.”
As Disneyland is finding out, “social media account breaches can be quite embarrassing to any person or organization that has it happen,” said Parkin.
“Unfortunately, there’s no information on how the attacker gained access to Disney’s account and it would be imprudent to speculate,” he said. “It’s good that Disney was able to quickly take down the offending posts, but still unfortunate that their many followers were subjected to such inappropriate behavior.”
Aaron Turner, CTO at Vectra, said that “because Instagram forced Disney to use a low-security authentication mechanism—essentially something that would not qualify as enterprise-grade authentication with appropriate logging, monitoring and anomaly detection—it created an opportunity for this online vandalism to take place.”
Similar to the takeovers of bluecheck Twitter accounts a few years ago, and “the extremely damaging US Air vandalism prior to the American Airlines merger, the relative simplicity of running a social media account takeover campaign results in an attractive way for an attacker to cause significant brand damage,” said Turner.
“In an ideal world, social media platforms would allow their enterprise sponsor companies to federate their enterprise identities to the platform, allowing for security governance and controls to be implemented for those critical employees to have appropriate access using strong authentication,” he contended. “That federation would also allow enterprises’ security operations teams to monitor for abuse and anomalies to reduce the likelihood of an incident like what happened with Disney.”
“When viewed from an identity and access perspective, it has always disappointed me that the major social media and internet publishing companies will not allow their biggest sponsors to utilize strong authentication and federated identities to protect their brands,” said Turner. “Until the reliance on consumer-grade identities is remedied, we will continue to see these types of account takeover attacks.”
The Disneyland breach “demonstrates the common attack vector of account takeover from a weak or reused password,” Keeper Security co-founder and CTO Craig Lurrey said. This underscores the need for stronger frontline protection.
“Password managers can easily protect social media accounts with strong, unique passwords and can also protect the second factor (TOTP code). Social media accounts can also be shared from vault-to-vault securely among a marketing or social media team with role-based access controls and audit trails.”