Hackers claim to have leaked 1.1TB of Disney Slack messages

A group calling itself “NullBulge” last week released a 1.1 terabyte data trove that it claims is a dump of Disney’s internal Slack archives. The data reportedly includes all messages and files from nearly 10,000 channels, including unreleased projects, code, images, login credentials, and links to internal websites and APIs.

The hackers claim to have gained access to the data through a Disney insider and have named the alleged collaborator. A person by that name, who lists Disney as their current employer, did not respond to WIRED’s request for comment. Disney has not confirmed the breach or responded to multiple requests for comment on the legitimacy of the stolen data. A Disney spokesperson told The Wall Street Journal that the company is “investigating this matter.”

The data, which appears to have first been published on Thursday, was posted to BreachForums and later deleted, but is still online on mirror sites.

Roei Sherman, CTO at Mitiga Security, isn’t surprised that a giant like Disney could have been the victim of a breach of this magnitude and significance. “Enterprises are constantly being hit with security breaches, especially data theft on cloud and SaaS platforms,” he explains. “It’s simply easier for attackers and the profits are greater.”

Sherman, who reviewed the leaked data, added that “it all looks legitimate. Lots of URLs, employee conversations, credentials and other content.”

NullBulge calls itself a “hacktivist group protecting the rights of artists and ensuring fair compensation for their work.” The group claims that it only hacks targets that violate one of three “sins.” First: “We do not endorse any form of promotion of cryptocurrencies or crypto-related products/services.” Second: “We believe that AI-generated artworks are harmful to the creative industry and should be discouraged.” And third: “Any theft from Patreon, other artist support platforms, or artists in general.”

The group’s “Wall of Knowledge,” where it catalogs its data leaks, sums up the group’s philosophy: “What better way to punish someone than to get them in trouble, huh?” Previously, the group targeted Indian content creator “Chief Shifter” with a “First Shaming.” Then, in May, NullBulge posted a “Second Punch” and discussed the Disney breach. “Here’s one I never thought would get this fast… Disney. Yes, that Disney,” NullBuldge wrote, suggesting the group might be a single person. “The attack is just beginning, but we’ve got some good shit. To show we mean business, here are two files from the inside.”

In addition to the alleged Slack data, NullBulge also released what appears to be detailed information about the person who was apparently providing access and internal data. The leak includes medical records and other personally identifiable information, as well as the alleged contents of the alleged Disney employee’s 1Password password manager. NullBulge apparently reported the individual in retaliation for cutting off communication and access.

Security researchers have long warned that companies’ Slack accounts are a treasure trove for attackers if compromised. The popular team communication platform is owned by Salesforce and is used by many high-profile organizations, including IBM, Capital One Bank, Uber, and Disney rival Paramount.

“Disney will likely now be much more targeted by opportunistic malicious actors,” Sherman warns.