min read
Jul 17, 2024

How Disney Could Have Prevented Its Massive Slack Channel Data Breach (3 Actionable Steps)

It’s a Disney horror film.

1.1 TB of data from almost 10,000 channels on Disney’s developer Slack - made public for anyone on the internet to see. 

What is there to see? Plenty:

  • Login credentials
  • Unreleased projects
  • Computer code
  • Images
  • Links to internal websites and APIs

Claiming responsibility for this Slack data breach is hacker group Nullbudge. The reason? To “punish” Disney for how it handles artist contracts, its approach to AI, and its disregard for the consumer. 

As of July 17, 2024, Disney still hasn’t said more than that they are “investigating the matter.”

What could Disney have done to prevent NullBulge from causing such damage? We’ve identified three concrete steps that Disney could have taken to prevent the breach or significantly reduce its scope.

The wise person learns from others’ mistakes. Read on and become wise. 

Keep secrets out of Slack channels

The following should not be a revelation: corporate Slack instances are a tempting target for hackers. 

Over the past several years, Uber, Grand Auto Theft, EA Games and Twitter have had their Slack infiltrated and data exfiltrated. 

This awareness should lead to a very actionable conclusion: secrets that expose other areas of your cloud environment do not belong in Slack. This includes:

  • Encryption keys
  • API keys
  • Access tokens
  • Service account credentials
  • IAM credentials
  • MFA secrets

It is just too easy for Slack security to fail and for these keys to the kingdom to end up in the wrong hands.

Now, let’s say you do succeed in keeping secrets out of your Slack, either through Slack data loss prevention tools or through intense employee education and cooperation. There will still be other confidential information in your Slack channels that a hacker could use to cause you damage. 

Discussions about upcoming projects and releases, for example, are exactly what belongs on a developer Slack channel. And yet, if a hacker gets ahold of that data and publicizes it, as occurred in the Disney breach, that could cause significant monetary losses to your organization. 

To prevent this type of data breach, you need a way to monitor and detect if anything suspicious is happening to the data assets in your Slack. So we move on to the next concrete step…

Watch for anomalous behavior from insiders

NullBulge claimed to have help from an insider: a Disney manager of software development. Whether that “help” was freely given or was the result of a compromised account is still unclear. 

Either way, if NullBulge - or any hacker - is able to masquerade as an insider, detecting them becomes trickier. The insider identity being used, after all, does have legitimate access to the Slack channels in question.

The key to detecting the hack and preventing it before damage is done is in the monitoring of user identity behavior and the detection of anomalies

The Disney Slack breach involved the exfiltration of massive amounts of assets: 1.1 TB. This is not a copy-paste job. As Nullbridge themselves said, “Anything we could get our hands on, we downloaded and packaged up.”

Do Disney’s managers of software development routinely download all the data assets in every single Slack channel to which they have access?

Unlikely. 

If Disney had been monitoring user identity risk based on behavior (usually through an Identity Threat Detection and Response - ITDR - solution), this user should have been flagged as soon as the contents of a few Slack channels had been exported. The ITDR solution could also have immediately suspended the actions, revoked channel access or export ability for the user, and alerted the information security teams to investigate the user.

Within a short time after the first attempts to exfiltrate data, the breach could have been contained.

And speaking of taking action in time, the last concrete step Disney should have taken to prevent such an extensive breach is…

Take claims of hacking seriously enough to take action

July 11, 2024 may have been when NullBulge released the 1.1TB contents of Disney’s developer Slack, but it wasn’t the first time NullBulge had announced its intentions (and actions!) in hacking Disney. 

Two months earlier, in May 2024, NullBulge posted on their website: “Here is one I never thought I would get this quickly … Disney. Yes, that Disney. The attack has only just started, but we have some good shit. To show we are serious, here is 2 files from inside.”

In June 2024, NullBulge teased again, posting on X what appeared to be Disneyland Paris visitor, booking and revenue data.

Obviously, not every hacking claim has reality behind it. But it’s certainly a good reminder to check that your data security solutions are functioning well enough to catch the hacker, should the claim turn out to be true. 

Disney had these warning signs two months ago. That’s time enough to shore up the above-mentioned data loss protection and insider threat detection and response capabilities. 

But it doesn’t appear that they did. That’s a shame.

Let it be a warning… to act

Wise people use warning signs as a motivator to fix what they’ve been putting off fixing. 

Disney now has to put in boatloads of resources into mopping up this data leak. But you have the opportunity to plug your organization’s data security hole before it widens and exposes your data to a far wider audience than you intend. 

Be wise. Go put this into action now. 

You can even whistle while you work. 

Get updates to your inbox

Our latest tips, insights, and news