Disneyland hack reveals dangers of social media account takeover


We’re excited to deliver Rework 2022 again in-person July 19 and just about July 20 – 28. Be a part of AI and knowledge leaders for insightful talks and thrilling networking alternatives. Register at present!

Yesterday, Disneyland Anaheim’s Instagram and Fb accounts had been hacked by a self-proclaimed “tremendous hacker,” utilizing the Alias David Do, who proceeded to submit racist and homophobic posts throughout the accounts. 

The assault seems to have been motivated by a adverse expertise with the model, with the attacker stating he was “right here to deliver revenge upon Disney land [sic],” and uninterested in Disney workers “mocking” him. 

Whereas Disneyland was fast to regain management of the account and eliminated the posts, the occasion has been a PR nightmare, that’s left thousands and thousands of tourists and households uncovered to hateful and offensive content material, significantly on Disneyland Anaheim’s Instagram, which has 8.4 million followers. 

For different organizations, the Disneyland breach highlights that whereas platforms like Fb and Instagram will help attain a wider viewers, in addition they open the door to social media account takeover, which an attacker can use to significantly injury your status.  

Whereas it’s unclear how the hacker gained entry to Disneyland’s social accounts, Aaron Turner, CTO of SaaS Defend at California-based AI cybersecurity supplier, Vectra, believes that social media corporations are guilty for providing organizations poor authentication mechanisms. 

“From an Id and Entry perspective, it has all the time upset me that the main social media and web publishing is not going to permit for his or her greatest sponsors to make the most of robust authentication and federated identities to guard their manufacturers,” Turner stated. 

One of many key issues with social media accounts, and the explanation why accounts are weak to account takeover makes an attempt, is that they depend on password-based authentication, which is prone to credential theft. 

In accordance with the Verizon 2022 Information Breach Investigations Report, final 12 months, 50% of breaches had been brought on by stolen credentials. 

“As a result of Instagram pressured Disney to make use of a low-security authentication mechanism, primarily one thing that might not qualify as enterprise-grade authentication with acceptable logging, monitoring and anomaly detection, it created a chance for this on-line vandalism to happen,” Turner stated. 

Turner highlights that social media account takeover is a quite simple approach for a menace actor to trigger severe injury to a company’s status. 

In consequence, organizations should be conscious that utilizing social media does current reputational dangers that should be managed. 

Why are credentials really easy to take advantage of? 

Though it wouldn’t be truthful to take a position on how the attacker gained entry to Disneyland’s account, it’s true that credential theft performs a big function in lots of social media account takeover makes an attempt.

In reality, analysis exhibits that out of the 22% of U.S adults which were sufferer of account takeovers with social media accounts making up 51% of that complete. It additionally highlights that 60% of account takeover victims used the identical password because the compromised account throughout a number of accounts. 

That is one thing that almost all organizations are effectively conscious of too, with 84% of IT leaders saying passwords are a deceptively weak option to safe knowledge.

The explanation why there’s a lot credential theft is as a result of it’s low threat, and excessive reward. A hacker can receive a sufferer’s e-mail handle and begin making an attempt to brute power a weak password, seek for leaked credentials on-line, or goal the sufferer with a phishing marketing campaign to trick them into getting into their login credentials on a spoofed web site. 

Provided that there are over 15 billion leaked credentials obtainable on-line, cyber criminals don’t even must have an technical experience to interrupt into an account; they will steal credentials that another person has leaked on-line. 

Mitigating social media account takeover is difficult as a result of passwords are innately weak to theft by phishing scams, social engineering makes an attempt, and brute power hacks. 

On the identical time, extra safety measures provided by social media platforms like Multi-Issue Authentication are additionally simply exploitable with menace actors like Lapsus$ and Darkish Halo each utilizing methods to sidestep the authentication mechanism up to now.  

Craig Lurey, CTO and Co-Founding father of zero-trust safety firm, Keeper Safety recommends that organizations deploy a wide range of controls to reinforce the safety of their on-line accounts.  

“Password managers can simply shield social media accounts with robust, distinctive passwords and also can shield the second issue (TOTP code). Social media accounts can be shared from vault-to-vault securely amongst a advertising and marketing or social media workforce with role-based entry controls and audit trails,” Lurey stated. 

These measures will help to cut back the probability of a breach, significantly in the event that they’re mixed with safety consciousness coaching to assist educate workers on learn how to choose robust passwords and detect phishing scams. 

Nonetheless, so long as social media accounts depend on passwords, there may also be some threat of credential theft, till passwordless authentication choices, like these promoted by the FIDO alliance obtain widespread adoption.

VentureBeat’s mission is to be a digital city sq. for technical decision-makers to achieve data about transformative enterprise expertise and transact. Be taught extra about membership.

Share post:



More like this

Intel Geti and OpenVINO efforts advance AI and computer vision

Had been you unable to attend Rework 2022?...

The University of Idaho General Counsel’s Letter on Abortion

As I famous in my post on the...