[thu2111]

It exists already. Disney could just federate their logins to Google, for example, and all these problems are solved for them for free.

Note that both Google and Facebook have extensive infrastructures in place to detect and block password reuse based account hacking. Knowing the password is not enough to always log in to a Google account. In some cases the login process will ask you questions about your account or ask you to receive a code on your phone to verify authenticity. It's a bit like a heuristically triggered and thus easier form of 2FA.

Disney's problem here is that they have tried to make their own global federated account system but without much expertise in doing so. Tech firms have successfully fought off and blocked these attacks years ago.