A group calling itself “NullBulge” has published a massive 1.1 TB trove of data that it claims is a dump of Disney’s internal Slack archive. This data allegedly includes every message and file from nearly 10,000 channels, encompassing unreleased projects, code, images, login credentials, and links to internal websites and APIs.
The hackers allege they obtained the data with the assistance of a Disney insider, even naming the alleged collaborator. It remains unconfirmed whether the hackers had inside help or used info-stealing malware to compromise an employee’s account. Disney has not confirmed the breach or responded to multiple requests for comment regarding the legitimacy of the stolen data. However, a Disney spokesperson told the Wall Street Journal that the company “is investigating this matter.” The data, which was initially posted on BreachForums, has since been taken down but remains accessible on mirror sites.
Roei Sherman, field CTO at Mitiga Security, expressed little surprise at a breach of this scale for a company like Disney. “Companies are getting breached all the time, especially data theft from the cloud and software-as-a-service platforms,” he says. “It is just easier for attackers and holds bigger rewards.” Sherman, who reviewed the leaked data, added, “all of it looks legit—a lot of URLs, conversations of employees, some credentials, and other content.”
The NullBulge site describes itself as a “hacktivist group protecting artists’ rights and ensuring fair compensation for their work.” The group claims to target only those who violate one of three “sins”:
- Promotion of cryptocurrencies or related products/services.
- Support of AI-generated artwork, which they believe harms the creative industry.
- Theft from Patreon or other supportive artist platforms.
Their “wall of knowledge,” listing their data dumps, outlines their philosophy: “What better way to punish someone than getting them in trouble eh?” Previously, the group targeted the Indian content creator Chief Shifter with a “first shaming.” In May, NullBulge posted a “second punch” and teased the Disney breach. “Here is one I never thought I would get this quickly … Disney. Yes, that Disney,” NullBulge wrote, suggesting the group might be a single person. “The attack has only just started, but we have some good shit. To show we are serious, here are 2 files from inside.”
In addition to the alleged Slack data, NullBulge posted what appears to be detailed information about the individual they claim provided insider access. The leak includes medical records, other personally identifying information, and the alleged contents of the individual’s 1Password password manager. NullBulge claims to have doxxed the individual in retaliation for cutting off communication and access, although it remains unconfirmed if the employee ever collaborated with the group.
Security researchers have long warned that corporate Slack accounts are a treasure trove for attackers if compromised. The popular team communication platform, owned by Salesforce, is used by prominent organizations including IBM, Capital One, Uber, and Disney rival Paramount.
“Disney will probably be targeted a lot more now by opportunistic threat actors,” Sherman warns.
