A group calling itself “NullBulge” published a 1.1 terabyte dataset late last week that it claims is a dump of Disney’s internal Slack archive. The data purportedly includes all messages and files from nearly 10,000 channels, including unpublished projects, code, images, login credentials, and links to internal websites and APIs.
The hackers claim they gained access to a Disney insider’s data and named the alleged contributor. A person by that name who lists Disney as his current employer did not respond to WIRED’s request for comment. Disney did not confirm the breach or respond to multiple requests for comment on the legitimacy of the stolen data. A Disney spokesperson He told the Wall Street Journal that the company “is investigating this matter.”
The data, which appears to have been first published on Thursday, was posted on BreachForums and then removed, but is still active on mirror sites.
Roei Sherman, director of field technology at Mitiga Security, says he’s not surprised that a giant like Disney could suffer a breach of this scale and significance. “Companies experience security breaches all the time, especially data theft from cloud and software-as-a-service platforms,” he says. “It’s easier for attackers and offers higher rewards.”
Sherman, who reviewed the leaked data, added that “it all looks legitimate. There are a lot of URLs, employee conversations, some credentials and other content.”
NullBulge’s website says it’s a “hacktivist group that protects artists’ rights and ensures fair compensation for their work.” The group claims it only attacks targets that violate one of three “sins.” First: “We do not tolerate any form of promotion of cryptocurrencies or crypto-related products/services.” Second: “We believe AI-generated artwork harms the creative industry and should be discouraged.” And third: “Any theft from Patreons, other artist-supporting platforms, or artists in general.”
The group’s “Wall of Knowledge,” where it lists its data dumps, sums up the philosophy: “What better way to punish someone than to get them in trouble, huh?” Previously, the group attacked Indian content creator “Chief Shifter” with a “First Shaming.” Then, in May, NullBulge posted a “Second Punch,” mocking the Disney breach. “Here’s one I never thought I’d get so fast… Disney. Yeah, that Disney,” NullBuldge wrote, suggesting the group may consist of just one person. “The attack just started, but we got something good. To show we mean business, here are 2 files from inside.”
In addition to the alleged Slack data, NullBulge also published what appears to be detailed information about the individual who was apparently providing access and sensitive data. The leak includes medical records and other personally identifiable information, in addition to the alleged contents of the alleged Disney employee’s 1Password password manager. NullBulge apparently released sensitive information about the individual in retaliation for cutting off communication and access.
Security researchers have long warned about corporate Slack accounts, which could be a treasure trove for attackers if compromised. The popular team communication platform is owned by Salesforce and used by a number of major organisations, including IBM, Capital One bank, Uber and Disney rival Paramount.
“Disney will likely be subject to further attack by opportunistic threat actors,” Sherman warns.
