A group calling itself “NullBulge” published a 1.1-terabyte trove of data late last week that it claims is a dump of Disney’s internal Slack archive. The data allegedly includes every message and file from nearly 10,000 channels, including unreleased projects, code, images, login credentials, and links to internal websites and APIs.
The hackers claim they got access to the data from a Disney insider and named the alleged collaborator. A person with that name who lists Disney as their current employer did not return WIRED’s request for comment. Disney did not confirm the breach or return multiple requests for comment about the legitimacy of the stolen data. A Disney spokesperson told the Wall Street Journal that the company “is investigating this matter.”
The data, which appears to have been first published on Thursday, was posted on BreachForums and later taken down, but it is still live on mirror sites.
Roei Sherman, field CTO at Mitiga Security, says he isn’t surprised that a giant like Disney could have a breach of this scale and significance. “Companies are getting breached all the time, especially data theft from the cloud and software-as-a-service platforms,” he says. “It is just easier for attackers and holds bigger rewards.”
Sherman, who reviewed the data in the leak, added that, “all of it looks legit. A lot of URLs, conversations of employees, some credentials and other content.”
The NullBulge site says that it is a “hacktivist group protecting artists’ rights and ensuring fair compensation for their work.” The group claims it only hacks targets that violate one of three “sins.” First: “We do not condone any form of promoting crypto currencies or crypto related products/services.” Second: “We believe AI-generated artwork harms the creative industry and should be discouraged.” And third: “Any theft from Patreons, other supportive artist platforms, or artists in general.”
The group’s “Wall of Knowledge,” where it lists its data dumps, summarizes the philosophy: “What better way to punish someone than getting them in trouble eh?” Previously, the group targeted the Indian content creator “Chief Shifter” with a “First Shaming.” Then in a May NullBulge posted a “Second Punch” and teased the Disney breach. “Here is one I never thought I would get this quickly … Disney. Yes, that Disney,” NullBuldge wrote, suggesting that the group may be a single person. “The attack has only just started, but we have some good shit. To show we are serious, here is 2 files from inside.”
In addition to the alleged Slack data, NullBulge also posted what appears to be detailed information about the individual who was seemingly providing the insider access and data. The leak includes medical records and other personally identifying information, plus the alleged contents of the alleged Disney employee’s 1Password password manager. NullBulge seemingly doxxed the individual in retaliation for cutting off communication and access.
Security researchers have long warned about corporate Slack accounts as a treasure trove for attackers if compromised. The popular team communication platform is owned by Salesforce and is used by an array of prominent organizations, including IBM, Capital One bank, Uber, and Disney rival Paramount.
“Disney will probably be targeted a lot more now by opportunistic threat actors,” Sherman warns.