Hackers Took Over Elmo's X Account and Disney's Instagram, and It Exposed a Much Bigger Problem

When Elmo's X account started posting antisemitic rants and attacks on Donald Trump in July 2025, most people reacted the way you'd expect. Confusion. Horror. A few dark jokes. Jon Stewart did a whole segment on it. Sesame Workshop scrambled to condemn the posts and reassure parents that no, the little red puppet had not radicalized overnight.

But once the shock wore off, a quieter question started making the rounds: If hackers can hijack a children's character with 650,000 followers and use it to spread hate speech before anyone at the company notices, what does that say about the rest of us?

Turns out, it says a lot.

Three months after the Elmo incident, hackers breached Disney's Instagram on October 1, 2025. But this time, the motive was money, not mayhem. The attackers pushed a fake cryptocurrency called "Disney Solana" through the company's official pages, and hundreds of fans bought in before anyone could pull the plug.

The whole thing lasted less than half an hour. In that window, someone walked away with roughly $50,000 in stolen funds. The fake coin's market cap briefly hit $60,000 before crashing to $7,000. Disney removed the posts and launched an investigation, but the damage was already done. Real people lost real money because they trusted a verified brand account.

And look, you can argue that nobody should buy crypto from an Instagram story. Fair point. But Disney is one of the most recognizable brands on the planet. The whole reason the scam worked is because people trust the Disney name. Hackers didn't need to be sophisticated. They just needed 30 minutes and access.

High-profile hacks make great headlines. Remember when the Ashley Madison hack exposed 32 million users and nobody could stop talking about it? Elmo gets hacked, and it trends for a day. Disney gets hacked, and crypto Twitter has a field day. But the incidents that should actually worry people are the ones nobody talks about at dinner.

In June 2025, cybersecurity researcher Jeremiah Fowler found an unprotected database belonging to Passion.io, a platform that lets influencers, coaches, and online entrepreneurs build their own apps without writing code. The database held 3.6 million records and 12.2 terabytes of data. No password. No encryption. Just sitting there.

The exposed files included names, email addresses, physical addresses, invoice details, and premium video content that creators had uploaded as paid courses. Some profile images appeared to be of minors. Passion.io restricted access the same day Fowler flagged it, but nobody knows how long the database had been open or who else might have found it first.

Then, in February 2026, Substack disclosed that an API scraping attack in October 2025 had compromised roughly 697,000 user records. The stolen data included emails, phone numbers, Stripe customer IDs, and social media handles for both writers and subscribers. The attack exploited a broken authorization flaw that let anyone request user data by cycling through sequential ID numbers. It took Substack four months to even notice.

These aren't pranks or clout-chasing stunts. These are platforms that creators treat as the backbone of their businesses. When a fitness coach uploads her entire course library to Passion.io and that data gets exposed, she doesn't just lose content. She loses the product she sells to pay rent.

Here's the part that nobody really wants to say out loud: The creator economy is now worth billions, but the infrastructure holding it together still has the security posture of a startup that just got its first round of funding.

According to StationX's 2026 report, 429 million social media accounts were compromised in 2025 alone, with projections pushing that number toward 580 million by the end of this year. Account takeover fraud losses are expected to hit $17 billion in 2026.

And it's not just individual creators getting hit. The NBA and NASCAR's official X accounts were simultaneously breached in March 2025, exposing 53.6 million followers to attacker-controlled posts. Samsung's X account got hijacked to push a fake cryptocurrency called "Samsung Smart Token." Other major brands faced similar incidents throughout the year.

If brands with dedicated security teams and multi-million-dollar IT budgets keep getting breached, a solo creator running a Patreon and a Substack doesn't exactly stand a chance.

The newer threats are even harder to spot, and they go well beyond inappropriate deepfakes or stolen login credentials. AI voice cloning and deepfakes trained on public livestreams and podcast appearances are now being used to impersonate creators, bypass security resets, and trick brand partners into sending money. You don't need to hack someone's password when you can just sound like them on a phone call.

The Passion.io and Substack situations hit differently because they weren't about someone guessing a weak password. They were about platforms failing to protect the data that creators trusted them with. That distinction matters.

A growing number of independent writers, coaches, and small creative teams have started moving sensitive files off of general-purpose platforms entirely. The shift is toward end-to-end encrypted tools where even the service provider can't access your data, which is a fundamentally different model than what most cloud platforms offer.

Companies like Proton, which built its reputation on encrypted email under Swiss privacy law, now offer cloud storage solutions for business designed around that zero-access principle. The idea is straightforward: if the company hosting your files physically cannot decrypt them, then a breach on their end doesn't expose your content. For a creator sitting on a library of unreleased courses, client contracts, or subscriber data, that's not a minor detail.

It's a different philosophy than what most people are used to. We've seen the tension between convenience and privacy play out before with WhatsApp's data-sharing controversy, and it hasn't gone away. Google Drive and Dropbox are convenient, and they work fine for sharing vacation photos. But convenience and security are often working against each other, and the creator economy is learning that lesson the hard way.

The uncomfortable truth is that the tools most creators rely on were not designed for the way they're being used now. Social media accounts have become storefronts. Newsletter platforms hold subscriber payment data. No-code app builders store entire course libraries. None of these platforms were originally built to function as secure business infrastructure, and it shows every time one of them gets popped.

The Elmo hack was funny. The Disney scam was wild. But the Passion.io leak and the Substack breach? Those are the ones that should keep creators up at night. Because the next time it happens, and it will, the exposed data won't just be embarrassing. It'll be the kind of information that costs people their livelihoods.