A group calling itself “NullBulge” released a 1.1 terabyte trove of data late last week that they claim is a dump Disney’s internal Looseness archive. The data is said to include every message and file from nearly 10,000 channels, including unreleased projects, code, images, login information, and links to internal websites and APIs.
The hackers claim they accessed the data from a Disney insider and name the alleged collaborator. A person by that name, who lists Disney as their current employer, did not respond to WIRED’s request for comment. Disney did not confirm the breach or respond to multiple requests for comment on the legitimacy of the stolen data. A Disney spokesperson told the Wall Street Journal that the company is “investigating the matter.”
The data, which appears to have been first published on Thursday, was posted on BreachForums and later taken down, but remains available on mirror sites.
Roei Sherman, chief technology officer at Mitiga Security, said he was not surprised that a company as large as Disney could be breached on such a scale and scale. “Companies are getting breached all the time, especially when it comes to data theft from the cloud and software-as-a-service platforms,” he said. “It’s easier for attackers and the rewards are greater.”
Sherman, who reviewed the leaked data, added that, “it all looks legitimate. Lots of URLs, employee chat, some credentials, and other stuff.”
The NullBulge website says it is “a hacktivist group that protects artists’ rights and ensures fair compensation for their work.” The group claims it only hacks targets that violate one of three “sinful acts.” First: “We do not tolerate any form of promotion of cryptocurrency or cryptocurrency-related products/services.” Second: “We believe that AI-generated art is harmful to the creative industry and must be stopped.” And third: “Any theft from Patreons, other artist support platforms, or artists in general.”
The group’s “Wall of Knowledge,” which lists the leaked data, sums up its philosophy: “What better way to punish someone than to get them in trouble?” The group previously targeted Indian content creator “Chief Shifter” with “First Shaming.” Then, in May, NullBulge posted “Second Punch,” teasing the Disney hack. “This is one I never thought I’d get this fast… Disney. Yes, that Disney,” NullBulge wrote, hinting that the group might be a one-man operation. “The attack has only just begun, but we have some cool stuff. To prove we’re serious, here are 2 files from the inside.”
In addition to the alleged Slack data, NullBulge also posted what appeared to be details about the individual who allegedly provided insider access and data. The leak included medical records and other personally identifiable information, along with the alleged contents of the Disney employee’s 1Password password manager. NullBulge appears to have doxxed the individual in retaliation for cutting off communication and access.
Security researchers have long warned that corporate Slack accounts are a treasure trove for attackers if compromised. The popular team communication platform, owned by Salesforce, is used by a range of high-profile organizations, including IBM, bank Capital One, Uber, and Disney rival Paramount.
“Disney is likely to be a more frequent target of opportunists,” Sherman warned.
