Hacktivist group NullBulge claims Disney slack infrastructure data breach

A hacktivist group named NullBulge has claimed responsibility for a significant data breach involving Disney's internal Slack infrastructure, allegedly leaking 1.1 TiB (1.2 TB) of data. The leak reportedly includes a vast array of internal communications, files, code, and more.

NullBulge claims their motive is to "protect artists’ rights and ensure fair compensation for their work." They announced the breach on Breach Forums and X (formerly Twitter), encouraging people to download the leaked data to see "what goes on behind the doors" of Disney.

The leak was announced on 12th of July 2024 and supposedly contains:

• Messages
• Files
• Code
• Logins
• Links to internal API/web pages
• Unreleased projects
• Raw images
• Almost 10,000 Slack channels

The details of the attack or number of affected inidividuals are not disclosed. A Disney spokesman said that “Disney is investigating this matter,”.

The origins of NullBulge are unclear, but their activities suggest a possible link to the LockBit ransomware gang, as they appear to be using LockBit’s leaked builder. The group’s focus aligns with ongoing disputes involving Disney’s payment practices for artists and writers. Disney has faced criticism and legal issues for allegedly failing to pay royalties to creators of works acquired through their purchase of various franchises, including "Star Wars" and "Alien."

As of now, Disney has not confirmed the breach or issued an official response

Update - As of 19th of July 2024, the hacktivists "NullBulge," claim that the breach was to executed highlight the use of AI art to replace creative workers. The group has not requested any ransom and has started publicly releasing portions of the data leak.

Potential access source for the attack seems to be an “inside man” at Disney, who was later named and had their 1Password vault contents leaked by the group. The insider’s compromise possibly involved malware from a tainted video game mod.

As of 5th of September 2024, The Wall Street Journal reports that the breach exposed personal sensitive information and financial details related to the company’s operations, including:

• Personally Identifiable Information (PII) of Disney Cruise Line staff and passengers:
  • Passport numbers.
  • Visa details.
  • Names, addresses, and phone numbers.
  • Places of birth.
  • Physical addresses.
  • Current assignments of staff.
• Customer Information:
  • Names, addresses, and phone numbers of some Disney Cruise Line passengers.
  • Names and contact details for Disneyland guests with restaurant reservations.
• Financial and Strategy Information:
  • Detailed revenue data for Disney+ and ESPN+ streaming services.
  • Internal financial spreadsheets suggesting Disney+ generated over $2.4 billion in revenue in the March quarter, representing 43% of the total revenue for Disney’s direct-to-consumer entertainment segment.
  • A spreadsheet indicating Genie+ theme park passes generated more than $724 million in pretax revenue at Walt Disney World between October 2021 and June 2024.
• Login Credentials:
  • Login details for some of Disney’s cloud infrastructure.
• Operational and Strategic Insights:
  • Park pricing offers the company had modeled.
  • Information related to Disney's ad operations, including political spending on Disney platforms and discussions about ad campaigns from competitors like Netflix.
  • Staff discussions regarding Disney’s 2022 political stance in Florida, particularly concerning the "Parental Rights in Education" law.