A furry hacktivist group has breached Disney, leaked 1.1TiB of data, and says it's because Club Penguin shut down

Disney has suffered a massive leak of employee and company information, after hackers claimed one of its software managers was the victim of a Trojan horse malware attack. A whopping 1.1 terabytes of data has been leaked online, including personal information and details of unannounced products, including videogames. And the hackers say they're furries, and cite the shutdown of Club Penguin in March 2017 as justification.

The so-called hacktivist group is called Nullbulge and let me do you a favour: don't Google that word. It's one of those fanart terms referring to a prominent groinal bulge that usually has a giant lock illustration on it. Nullbulge describes itself as "a hacktivist group protecting artists' rights and ensuring fair compensation for their work," and this statement of intent is accompanied by a very NSFW image of a lion, which emphasises the beast's package.

The group lists a bunch of things that, it says, makes a target fair game. These include "crypto promotion", "AI artwork", "any form of theft", and generally anything to do with creator compensation. Disney of course is right in the middle of the fights around AI use, whether that's CEO Bob Iger's outspoken opposition to the SAG-AFRA strike fighting for AI regulation and opposing artificial likenesses of actors and their voices, or the use of AI tech in the creation of upcoming projects.

"Our hacks are not those of malice," claim Nullbulge, "but those to punish those caught stealing. Big and small theft, meet the same fate." Big talk but, on this occasion at least, it's been backed up. We'll come to how it happened shortly, but after dropping various hints and some minor leaks, Nullbudge released all the data it had stolen from Disney alongside the following statement:

"Hi there folks, it's us again. 

"Yesturday [sic] we leaked some small DB, now we leak the big guns. 

"1.1 TiB of data, almost 10,000 channels, every message and file possible dumped. Unreleased projects, raw images and code, some logins, links to internal API / web pages, and more! Have fun sifting through it, there is a lot there. Perfect for gathering intelligence and more.

"Bet they never imagined taking down Club Penguin servers would cause this much shite."

So how did this happen? A classic piece of Trojan horse malware that, apparently, was packaged up with a mod for BeamNG, a popular game often seen in social media clips that is basically about all kinds of vehicle physics and crashing things. This "mod" was downloaded by a Disney manager of software development on their personal computer, which also had access to Disney's Slack channels (a popular corporate messaging system). Once the hacking group was in, it perpetrated a second hack on the same employee through an unknown method, and began downloading everything it could. The Disney employee eventually noticed and managed to block further access, but only after all of the above data had been stolen.

The grim element of this is the human side. This employee who was successfully targeted will undoubtedly face serious professional consequences, and in an extremely unpleasant move the hacker group went out of their way to publicly name the victim and release other personal information. But as well as that individual's life being altered, the group has obtained and released a huge amount of personal data and information about other Disney employees.

This is where hacktivism gets a bit queasy, to my taste anyway. We can talk all day about Disney as a corporate or cultural entity, its role in the media landscape, what it does well and what it does terribly, and what it should be held to account for. Disney's influence and size makes it a target for such groups, but when the crosshairs start falling on the lives of individuals who happen to work at Disney, who in almost all cases will be nowhere near the executive level where decisions are made, it rather invalidates any wider ethical point the hacktivist group wishes to make.

The idea of Disney being caught with its cyber-trousers down is, I will admit, somewhat amusing. But the idea of potential real-life consequences for individuals who just happen to work for the company is not.

This gets to a wider point about Nullbulge, which is that the group's branding and claims should not be taken at face value. Hacktivism is a convenient justification, the furry links may well be a red herring, and it may just be one person rather than a team. Infosec professionals particularly doubt the group's claims of Russian origin, while elsewhere online internet sleuths are claiming to have identified the individual responsible.

As you can imagine, Nullbulge's various online accounts have been swiftly nuked by Disney lawyers, and the leak is no longer easily available. It apparently includes data going back to 2019 including enormous amounts of internal communications, notes on employees and prospective employees and, presumably Nullbulge's greatest prize, photographs of employees' dogs.

Nullbulge sent an online message to the Wall Street Journal saying it targeted Disney "due to how it handles artist contracts, its approach to AI, and it’s [sic] pretty blatant disregard for the consumer." It said the data was released because Disney was not going to respond to its demands: "If we said 'Hello Disney, we have all your slack data' they would instantly lock down and try to take us out. In a duel, you better fire first."

Eric Parker, a security researcher who has been following the group's online activities, told the WSJ he believes that Nulldbudge is not a group, but one young man. "He's not doing it for money," said Parker. "I think this is an attention-seeking exercise."

This is not the first time Disney has been hacked: Disney+ user data was hacked several years ago. But this is a hack on a different scale and, while the information therein is not currently being disseminated widely, it is out there: which for the company's employees especially must be terrible.

This is also not the first time a hacktivist group has claimed to be furries. Last year self-described gay furry hackers breached one of the biggest nuclear labs in the US, and demanded it begin researching 'IRL catgirls'. Coincidence, or the start of a trend?

Disney has issued a simple statement regarding the hack, saying only "Disney is investigating this matter." It has not commented on the shutdown of Club Penguin.