I got an Email (to my iCloud address) from Disney+. The email contained a subscriber agreement. I did not register for their service myself. On the Disney+ website I saw that there was indeed an account for my email address. Using "forget password" I was able to log into the account and change the password.
I contacted Disney support, asking them to delete the account. However, they said that they can not delete the account since there is a running subscription via iCloud. This subscription has to be cancelled in order for the account to be deleted.
At this point I was very concerned that someone has hacked into my iCloud (which runs under email address used for the Disney+ account). So I logged into my iCloud and checked the running subscriptions and active devices but there was no suspicious activity at all and no Disney+ subscription listed.
My questions are:
Yes, it's possible to use your email address and pay via credit card, PayPal, subscription cards or the respective mobile providers (Apple / Google Pay). It does not have to be a payment with Apple Pay / your iCloud account. As you are able to login, you should see the used payment method in the account's "billing details".
I do not see any further security concerns on your side. You already checked for an intrusion into your iCloud account and there seems to be none, which is good. You contacted Disney and they did not care (which is questionable). I'd say whoever created this account is going to realize he is no longer able to login and therefore going to cancel the payment subscription sooner or later. Lesson learned for the person who created the account with a random email address.
You probably get a notification email after the subscription has ended, then you are able to delete the account.
External links referenced by this document: