Disney store window showing data leak of Slack messaging

Hacktivists Claim Disney Data Leak Was Protest Against AI Art; One Terabyte of Internal Slack Messaging Chats Stolen and Leaked

A massive leak of Disney’s internal Slack messaging conversations appears to be the work of hacktivists looking to shine a light on the use of AI art to replace creative workers. The hackers, who go by the name “NullBulge,” have yet to request any ransom and immediately began dumping portions of the data leak to publicly available channels.

Hacktivist group behind data leak takes anti-AI Stance, previously compromised Stable Diffusion

Security analyst opinions vary on whether or not the claimed hacktivism is some sort of front for an attempted criminal enterprise, but NullBulge does have some prior history in this area. In June the group compromised a widely-used interface plugin for the image generator Stable Diffusion, planting malware that steals login credentials.

The group says that it is in possession of over a terabyte of Disney’s Slack messaging data, and appears to be releasing it to the public in chunks via BitTorrent. It says that the motivation for this particular attack is to “protect artists’ rights and ensure fair compensation for their work.” The hackers also claimed the attack had “only just started.” After having spent a century building its brand in no small part due to the quality and meticulous detail of the hand-drawn art in its animated films, Disney raised some hackles in 2023 when it appeared to begin using AI-generated art in certain promotional posters and advertisements. It has since used AI to generate the credits for a Disney Plus television series affiliated with the Marvel Universe, and an insider has claimed the company has formed an exploratory task force to examine how it can cut costs by using AI.

The Slack messaging dump appears to contain all of the company’s internal messages on the platform as of the time at which it was stolen. There has yet to be a conclusive determination of its authenticity by Disney or independent security researchers, but the data leak appears to contain conversations about job applicants, upcoming projects, employee programs, website development and advertising campaigns that date back as far as 2019. Security researchers have also noted that source code and login credentials are present. The information apparently comes from as many as 10,000 of the company’s different internal Slack messaging channels.

Disney has not commented on any technical details of the data leak as of yet, but posts by the hackers on X claimed that an “inside man” got them into the company’s Slack messaging system. If true, that would make the incident a relatively rare example of an insider threat opening the gates to an external hacking group but doing so without any apparent financial considerations. The group claims that the insider “got cold feet” and cut off their access early, and in retaliation they named the person publicly and posted what they claim are the contents of their 1Password vault. The insider may have been extorted after an individual breach involving the installation of a video game mod the group had tainted with malware.

Kevin Reed, Acronis CISO, provides more detail on the suspected data leak source: “Based on Nullbulge blog post (see https://nullbulge.se/blog.html) it seemed that, they managed to compromise a single workstation of someone named Matthew J Van Andel (probably https://www.linkedin.com/in/mattvanandel/), who works at Disney. From there, the attacker pulled Slack access tokens and downloaded Slack messages. Nullbuldge also dumped his 1Password local cache.”

Slack messaging breach contains a broad variety of Disney’s internal information

NullBulge’s seeming hacktivism extends to its public website, which declares that it only attacks targets that promote cryptocurrency, AI artwork, or any form of theft from Patreons or artist platforms. The group also says that it is based in Russia, though at least one of its members seems to speak fairly fluent English in its social media and forum posts.

Hackers in general have shown an increasing interest in corporate Slack messaging channels in recent years. Gaining entry to these channels is often a matter of compromising just one employee, who may have stolen credentials available or a weak password. As this present data leak seemingly demonstrates, targeting and compromising individual employees could also lead to obtaining their work credentials from their personal devices. Once inside, Slack messaging channels are often packed with everything from shared plaintext passwords to highly secret company information under discussion that could cause a devastating data leak. Slack itself has also proven vulnerable several times over its history of operation, the most recent of which was a breach that was announced on the last day of 2022 and involved access to the company’s Github repositories by attackers.

Dr Ilia Kolochenko, Partner and Cybersecurity Practice Lead with cyber law practice, Platt Law LLP, warns that the possibility of a ransom situation should not be ruled out as of yet: “While the alleged data breach of multiple internal Slack channels is unconfirmed by Disney, it would be premature to make conclusions. However, if true, it seems to be a well-thought-out smokescreen to mask the true identities and real motives of the hackers. Hacktivists are highly unlikely to run operations of such scale to protect intellectual property and the rights of artists. Moreover, in many jurisdictions, such evidence may be inadmissible in courts and will merely cause embracement to Disney if exposed. Given the volume and nature of the reportedly compromised data, it may rather be exploited to blackmail Disney, similar to the notoriously devastating Sony hack. Another plausible reason behind the intrusion is politics and an attempt to censor certain movies, topics or ideas from Disney’s digital content. This case is a grim reminder for all corporations about the importance of having and invariably enforcing policies relating to data retention, authorized use of Slack and other corporate messengers, as well as prohibition to discuss certain sensitive topics in potentially insure environments.”

Slack is sometimes overlooked by cybersecurity plans in spite of its vulnerability. Some “hardening” measures that organizations can implement to avoid similar data leaks include limiting sensitive information to groups that are set as private and have access control policies in place, restricting third party app access to only absolutely essential functions, and requiring MFA logins to help protect against credential compromise.

Omri Weinberg, Co-founder and CRO at DoControl, expands on the potential threat (and defense measures): “What’s particularly concerning is how attackers could leverage this type of Slack access for highly effective social engineering attacks.  Imagine a bad actor posing as a trusted colleague or executive on Slack – they could easily manipulate employees into sharing sensitive information or taking harmful actions.  These internal phishing attempts typically have a much higher success rate than traditional email phishing, as people tend to let their guard down in what they perceive as a secure, internal environment. To prevent these types of incidents, organizations need to take a multi-layered approach to securing their Slack environments: First, implement strong access controls and authentication, including multi-factor authentication and regular credential rotation.  Carefully manage API keys and integrations to prevent unauthorized access. Second, enable comprehensive logging and monitoring to detect suspicious activity.  Look for anomalous access patterns or data exfiltration attempts. Third, use data loss prevention tools to identify and protect sensitive information shared in Slack.  Classify your data and set policies to prevent unauthorized sharing.”