Look to me like they were not hacked at all, it's just a user-side issue. They said they detected no breach and believe it's likely just people re-using passwords and not having multi-factor (though Disney should be blamed for not offering mult-factor).