[Matsta]

Bingo. People using the same login on multiple sites.

The sellers get Massive email: password lists which are known combo lists. These are usually from hacked sites that have been SQL injected.

People probably all have giant lists of Netflix, Hulu Etc. accounts and then just recheck them on Disney+

Then they'll use a checker app which just mass checks the sites. I imagine Disney don't have a catchpa setup or requiring it after a large amount of failed logins.

There's no point IP limiting logins as most guys will be using massive botnet proxies services that give you a zillion IP's.