Coinsquare, the impacted exchange, says a former employee stole the data.
Hackers are selling Disney+ accounts on the dark web, but the tools to break into the accounts in the first place are already established.
This could make people think twice about using a phone number to secure their account at all.
The small list of around 2,500 login details acts a reminder to stay vigilant and use two-factor authentication.
Earlier this month, Motherboard revealed that contents of Microsoft's email services were compromised. Multiple victims now say that hackers stole their cryptocurrency.
Sources and a document show how Google bars nonprofits from telling activists in certain countries about their products.
Users are angry that Facebook is letting others, including advertisers, look up users via the phone numbers they provided to enable two-factor authentication.
Motherboard has identified a specific UK bank that has fallen victim to so-called SS7 attacks, and sources say the issue is wider than previously reported.
Hackers have hijacked the accounts of at least four high profile Instagrammers recently, locking them out and demanding a bitcoin ransom. But Instagram is silent.