The 2024 Disney Hack: How a Hacker Stole 1 TB of Corporate Data & Key Lessons Learned

In July 2024, a hacker leaked ~1TB of Disney's internal data on darknet and left the below message:

"1.1 TB of data dumped… They never imagined taking down club penguin servers would cause this!"

How was such a large dump stolen? What did club penguin servers had to do with this?

Attack Flow:

1. A Disney employee downloads a game add-on on his personal machine > the add-on has hidden malware.

2. On the same machine, the employee signs into Disney's internal communication tool 'Slack' > Malware captures credentials / session details.

3. Attacker uses stolen credentials to access Disney’s Slack > Gains entry to 10,000 Slack channels that the user is part of!

4. Attacker systematically downloads 1 TB of messages and files from the compromised channels.

5. Stolen data is leaked on the darknet, exposing Disney's internal communications and sensitive information.
    

   ---

Key Insights:

1. Many might say all of this is due to "human error" in downloading a trojanized software on to their machine. This is true to some extent. But this would have never happened had the company blocked Slack access on personal machines to start with (so many attacks these days have the exact same pattern).
   

2. A good security design doesn't rely on users always doing the right thing. It relies on making it hard for them to do the wrong thing. You cannot control human behavior but you can control when they access what.
   

3. After this incident, Disney announced that they will be replacing Slack with another tool. This is like changing the lock on your front door after a burglar breaks in through an open window. The tool isn’t the problem—it's the failure to secure the environment as a whole that is the problem.

4. Incidents often have the potential to lead to more incidents. How? In Disney's case, this leak led to exposure of files that contained credentials to cloud infrastructure. Some of them could be live secrets. This is where strong incident response capabilities come into play - to swiftly identify and contain the damage.

5. Collaboration tools such as Slack, Teams are a new target for attackers. They should be monitored by SOC teams for suspicious activities. For ex, Slack offers Audit Log APIs with anomaly events that can be integrated into SIEM tools for real-time monitoring. Monitor for data exfil scenarios.
   

6. As per reports, the user had access to 10,000 Slack channels (which is very puzzling). Maintaining and tracking basic RBAC hygiene across collaboration tools is critical. This is an interesting area as this is not something that is particularly tracked by companies today.

7. Now to the Club Penguin part - Club Penguin was a popular video game made for kids around 2007. Disney bought Club Penguin and shut it down in 2017. Some club penguin fans continued to keep the game alive via private servers offering unofficial emulated versions. Disney had them shut down too and 3 people were arrested in 2022.  As per attacker, those Club Penguin fans are getting their revenge on Disney with this hack. Cybersecurity is a crazy world and attacks can come from the places you least expect!
   
   

   

   (To book a slot, please click on the image)