It's way too early to point your finger at Disney. In this day and age it is not easy to protect personal data and passwords from questionable characters. In this case, it could simply be users who have used their password twice. Maybe the hardware that logged in to Disney + was contaminated with a Trojan horse? After a thorough investigation, Disney will certainly speak on this issue to speak.