Back

disney.com Domain Breach Exposure Report

Risk Score

High Risk

Massive event volume or critical assets compromised.

AI Findings Summary

Critical

The telemetry indicates a significant exposure event affecting Disney.com, with over 2.6 million total events recorded between July 2025 and June 2026. The majority of these events are attributed to historical data breaches (1.4 million) and active infostealer logs (1.2 million), suggesting a persistent threat landscape. Employee and client data are both impacted, with client numbers significantly higher, particularly in August 2025 and January 2026. The primary malware families identified are Redline and LummaC2, both known for credential theft. The targeted services are predominantly related to Disney+ and Star+ Android applications, with a notable concentration of activity originating from Brazil, Argentina, and Mexico. The leak repository classification shows a heavy reliance on "Combolist sources," indicating compromised credential reuse as a likely attack vector. The high volume of data breaches and infostealer activity, coupled with the targeting of consumer-facing applications and a broad geographical spread, elevates the risk to "High." The prevalence of credential-harvesting malware like Redline and LummaC2, combined with the use of combolists, points to a focus on account takeover and potential financial fraud. Remediation efforts should prioritize strengthening authentication mechanisms for both employees and clients, enhancing endpoint security to detect and prevent infostealer malware, and actively monitoring for leaked credentials associated with Disney services, especially those originating from Latin America.

Total Events

2,673,770
credential exposure events

Employee Affected Events

160,409
account email domain = disney.com

Client Affected Events

2,513,361
service target = disney.com

Free Community Account

Stop stolen credentials from logging in

Own this domain? Create a free Lunar account to see full exposure data and evidence.

12-Month Events Timeline

Event volume by breach date, employee VS client

EmployeesClients
500,000333,333166,6670
peak month 425,041
Jul 25Sep 25Nov 25Jan 26Mar 26May 26Jun 26

Infostealers VS Data Breaches

Live stealer logs VS data breaches

Infostealer logs
Events1,270,284
Share48%
Data breaches
Events1,403,486
Share53%
Infostealer logs (48%)
1,270,284events
Data breaches (53%)
1,403,486events

160,409 compromised employee accounts pose an infrastructure risk, while 2,513,361 leaked client credentials create regulatory liability.

Antivirus Distribution

Security Tools on Infected Endpoints

Windows Defender11,732
Windows Defender.751
Avast221
Windows Defender [ON]199
Windows Defender McAfee185
Reason Cybersecurity172
McAfee104
ESET Security85
None76

Malware Families Distribution

Distribution of Active Stealer Strains

Redline215,978
LummaC2215,591
Rhadamanthys161,614
Vidar92,074
Acreed89,265
RisePro31,163
StealC26,602
Remus10,156
Millenium8,755

Top Login URLs

Top exposed services found in the event results

  1. 1android://0mxF7gRbL1Erv-6PlnR82jAP6lGaonT58okn_6fDdiqJuSFgX4aVoIyNFwhPQzm2smYltWO3qwuGjil466nBIQ==@com.disney.disneyplus/1,547,676
  2. 2android://6dhNkLSJwvJmNzuWfnH8Q-mLbBWW7s0A2b_x8_MpdFdUebGtjLfeV0Ed2EEJ4G7BbdV3o1quT8wKfwTDU82SjA==@com.disney.starplus/390,862
  3. 3android://0mxf7grbl1erv-6plnr82jap6lgaont58okn_6fddiqjusfgx4avoiynfwhpqzm2smyltwo3qwugjil466nbiq==@com.disney.disneyplus/ :77,220
  4. 4android://0mxf7grbl1erv-6plnr82jap6lgaont58okn_6fddiqjusfgx4avoiynfwhpqzm2smyltwo3qwugjil466nbiq==@com.disney.disneyplus/56,839
  5. 5android://zQxb6hXv1MJiC1Yyotdhi8HP-y7fwPcOLwPOWTwWKpP2VXcbsuIiI4iJ1KV0Dz3LzVsUuKJmACRSUAxnsPB3FA==@com.disney.disneyplus/45,578
  6. 6android://0mxF7gRbL1Erv-6PlnR82jAP6lGaonT58okn_6fDdiqJuSFgX4aVoIyNFwhPQzm2smltWO3qwuGjil466nBIQ==@com.disney.disneyplus/45,223
  7. 7android://6dhnklsjwvjmnzuwfnh8q-mlbbww7s0a2b_x8_mpdfduebgtjlfev0ed2eej4g7bbdv3o1qut8wkfwtdu82sja==@com.disney.starplus/ :18,819
  8. 8android://0mxF7gRbL1Erv-6PlnR82jAP6lGaonT58okn_6fDdiqJuSFgX4aVoIyNFwhPQzm2smYltWO3qwuGjil466nBIQ==@com.disney.disneyplus/ :18,671
  9. 9http://android://0mxF7gRbL1Erv-6PlnR82jAP6lGaonT58okn_6fDdiqJuSFgX4aVoIyNFwhPQzm2smYltWO3qwuGjil466nBIQ==@com.disney.disneyplus/15,040
  10. 10android://6dhnklsjwvjmnzuwfnh8q-mlbbww7s0a2b_x8_mpdfduebgtjlfev0ed2eej4g7bbdv3o1qut8wkfwtdu82sja==@com.disney.starplus/13,472

Infostealer By Geography

Shows the distribution of Infostealer-related credential exposure events across different geographic regions. The location is determined by analyzing the metadata of the infected machines associated with each event.

Brazil
Events144,223
Argentina
Events83,658
Mexico
Events75,793
Colombia
Events62,082
Peru
Events53,341
United States
Events52,326
Chile
Events37,676
Spain
Events29,578

Country Breakdown

  1. 1Brazil144,223
  2. 2Argentina83,658
  3. 3Mexico75,793
  4. 4Colombia62,082
  5. 5Peru53,341
  6. 6United States52,326
  7. 7Chile37,676
  8. 8Spain29,578

Services Classification Distribution

Blast radius - closer to core = more critical infrastructure, size = credential volume

Microsoft1,106
Citrix322
F5269
Okta37
Git36
Pulse Secure32
FortiNet VPN18

Operating System Distribution

Distribution of compromised endpoint builds

Windows 1191,444
Windows 10 Enterprise x6483,841
Windows 11 24H2 build 26100 (64 Bit)68,292
Windows 10 22H2 build 19045 (64 Bit)60,185
Windows 10 Pro49,182

Leak Repository Classification

Where the exposed records currently reside

0
Named breaches
1,301,145
Combolist pools
102,341
Unattributed dumps

Disclaimer: This report includes AI-generated content. AI can make mistakes, so verify important findings independently before taking action.