A Disney Worker Downloaded an AI Tool. It Led To a Hack That Ruined His Life. (dailymail.co.uk) 53
A Disney employee's download of an AI image generation tool from GitHub led to a massive data breach in July 2024, exposing over 44 million internal Slack messages. The software contained infostealer malware that compromised Matthew Van Andel's computer [non-paywalled source] for five months, giving hackers access to his 1Password manager.
The attackers used the stolen credentials to access Disney's corporate systems, publishing sensitive information including customer data, employee passport numbers, and revenue figures from Disney's theme parks and streaming services. The breach also devastated Van Andel personally. Hackers exposed his Social Security number, financial login details, and even credentials for his home's Ring cameras. Shortly after the incident, Disney fired Van Andel following a forensic analysis of his work computer, citing misconduct he denies. Security researchers believe the attacker, who identified as part of a Russia-based hacktivist group called Nullbulge, is likely an American individual.
The attackers used the stolen credentials to access Disney's corporate systems, publishing sensitive information including customer data, employee passport numbers, and revenue figures from Disney's theme parks and streaming services. The breach also devastated Van Andel personally. Hackers exposed his Social Security number, financial login details, and even credentials for his home's Ring cameras. Shortly after the incident, Disney fired Van Andel following a forensic analysis of his work computer, citing misconduct he denies. Security researchers believe the attacker, who identified as part of a Russia-based hacktivist group called Nullbulge, is likely an American individual.
Re: (Score:2)
When kids go through puberty, they suddenly start to see the world in a different perspective. It causes a lot of mental shit. That's when mental hygiene starts to become important. They have to learn to use those newly acquired executive functions to sort stuff out.
Re: (Score:2)
Re: (Score:2, Flamebait)
My favorite thing about the word "woke" is that when someone is mad about it I can instantly dismiss them as an idiot without having to read all of their rambling stupidity.
Re: (Score:1)
Re: (Score:2)
It does sound like the company is on their last legs
https://thewaltdisneycompany.c... [thewaltdisneycompany.com]
https://finance.yahoo.com/news... [yahoo.com]
I'd give them another 6 months before chapter 11.
Re: (Score:2)
Be an idiot, make deranged postings. Like you just did.
So what was the "AI image generation tool" ? (Score:5, Insightful)
Article is missing what would have perhaps been the most helpful information, namely what this AI thing from GitHub actually is so that the rest of us could check to see if we have ever used it and might be compromised.
Re:So what was the "AI image generation tool" ? (Score:5, Informative)
It was the ComfyUI_LLMVISION Comfyui plugin from user AppleBotzz https://www.reddit.com/r/Stabl... [reddit.com]
Here's a decompiled & unpacked version of the malware for anyone interested: https://github.com/atericparke... [github.com]
Re: (Score:2)
How is that not suspicious to anyone even remotely rational based on name alone?
The non-paywalled link is... (Score:3)
Re:The non-paywalled link is... (Score:5, Informative)
Not sure it's the full available details, but at least it has much more than that "non-paywalled" source from the summary.
Re: (Score:3, Funny)
Thank you.
When the DailyMail has more actual information about something, you know the world is sorely topsy-turvy.
Re: (Score:1)
Not sure it's the full available details
You're not sure if the Daily Mail is providing you full available details, and as a result we're not sure if all the neurons in your brain are firing correctly. Hint: A tabloid never gives you full available details, ever, about anything, even when it's something they agree with.
Yeah.... (Score:3)
A whole lot more than just some lost passwords went wrong here.
Corporate security (Score:4, Interesting)
Re:Corporate security (Score:5, Insightful)
"told not to install "
Disney is large enough that their IT should have the tools to *prohibit* installation.
Re: (Score:3)
"told not to install "
Disney is large enough that their IT should have the tools to *prohibit* installation.
It probably has something to do with the amount of control given to this "imagineer" for him to do his job. He probably had elevated permissions in their environment. That's enough to get you blocked from all but the lowest jobs in his chosen profession going forward.
Re:Corporate security (Score:4, Funny)
That Mickey Mouse operation? Doubt it ;-)
Re: (Score:2)
And at a higher level, if those prohibitions were bypassed, maliciously or innocently, the data that was accessed was not secure. One employees computer shouldn't have this much power over company data and infrastructure. The real failure is up the chain. This is a CTO-level failure.
Re:Corporate security (Score:5, Interesting)
The problem was:
How and why Disney credentials were in his personal 1Password is not explained.
Re: (Score:2)
Re: (Score:2)
No MFA and also allowed full VPN access from an unmanaged (non-corporate) computer.
CIO/CISO should be fired too.
Re: (Score:2)
He very likely did not have MFA on his 1Password account.
He could very well have had MFA on every single other account he used, but if they had access to 1Password, and his MFA credentials were stored in 1Password (which is definitely a thing that it does, so it can auto-enter the TOTP code for you) then it was game over.
Re: (Score:1)
He very likely did not have MFA on his 1Password account.
The article (or at least an article I read) said exactly that - the malware had a key logger, he logged into his non MFA 1Password, and boom!
It even cautioned people explicitly to set up MFA on 1password, which does seem like a great idea for a master password store, although obviously more annoying in day to day use which is why most people do not do it!
Re: (Score:2)
They must have then had some more malware on his computer to gather other information - with 1Password, when you first set up your account, you're given what they call an Emergency Kit, which is a PDF that has a secret key on it. This key is not held anywhere with 1Password, you have the only copy of it.
You can not log in to a 1Password account with just the email and password, nor can you perform a password reset with just these credentials.
In order to log in to 1Password from a new device, you must have t
Re: (Score:2)
This is a large enterprise. Hence it is certain that there was an explicit prohibition on what he did as part of his employment contract. Which he signed.
Re: (Score:3)
This doesn't surprise me and it scares me to death at the same time. Our administrators are usually the type to want to play around with new toys. And obviously they get privs that are dangerous. We DO a good job at not letting users log in to their machines it their admin or domain admin accounts. And we vault their admin accounts and do daily rotates. But STILL, I know of a way to get to the keys to the kingdom without a single MFA. I have a feeling others do too. We also don't like being told we c
Re: Corporate security (Score:2)
Re: (Score:2)
Yeah, no kidding. Why would they not have application allow listing enabled? How are users able to just run arbitrary executables downloaded from the Internet? Crazy that no security layer flagged this activity at all.
Re: (Score:2)
Further, why isn't this being described as a failure higher up the chain?
Why should an employee have the power to cause this much destruction, even if the result of an error?
If your company can crumble because of a single lower-level employee, you have issues with your security landscape.
Re: (Score:2)
Were they told not to install anything that wasn't explicitly cleared by Disney or were they allowed to use their workstation as a playground.
In the many, many companies for which I have worked not a single one has said I can download and install whatever I want on their computers. That is when I had a dozen coworkers or thousands of workers. I can surmise a large corporation like Disney explicitly state these rules.
Perspective (Score:2)
Ruined his life, really? Sounds like a minor inconvenience and a great opportunity to sue your employer for wrongful dismissal. He may have won the jackpot.
Re:Perspective (Score:4, Interesting)
Hahaha, no. Prohibition to download and install software yourself is typically part of your employment contract. If anything, Disney could sue him for all the damage done and he would have to pay. Likely the only reason they are not doing that is because they would not recover a lot and it would be bad for their public image.
Seriously, how clueless do you have to be to make a statement like you just did?
Re: (Score:2)
Prohibition to download and install software yourself is typically part of your employment contract.
On your own computer at home?
Re: (Score:2)
Ruined his life, really? Sounds like a minor inconvenience and a great opportunity to sue your employer for wrongful dismissal. He may have won the jackpot.
That would be assuming he is innocent. If it really was a "forensic analysis of his work computer" that turned up the evidence of his wrongdoing, I don't think he has a jackpot waiting for him...
Re:Corrected headline --- (Score:4, Insightful)
While your overall thinking is mostly correct... TFA says it was his home computer, not a work one.
But they were able to compromise his 1Password account on that computer, which had Disney credentials stored in it. And I don't know about you, but I'd suggest that many corporate password storage policies are not as clearcut as their software/download policies. Was it his personal 1Password account that had work credentials in it? Does Disney have recommended password storage guidelines or requirements? Was he following any of those?
Re: Corrected headline --- (Score:2)
Idiot does Idiot things (Score:3)
Dumb peope: I blame AI for this. (Score:2)
That's what the article is going for, anyway. They want readers to feel like AI is fundamentally insecure, when that's not what happened here.
"He denies" (Score:2)
How stupid do you have to be? These guy downloaded unauthorized software from an external source, doubtless without permission to do so, and then messed it up.
He is lucky to just have gotten fired.
Re: (Score:2)
You may have already read it in a couple of the replies above, but this wasn't his work computer. It was a personal computer at home. So not really much "unauthorized" about that or "permission" required. They got in through his then compromised 1Password account where he had apparently stored Disney credentials. Of course, should he have been storing work account info in a (assumed) non-work password manager? Don't know what Disney's policy is there.
non-paywalled? False. (Score:2)
that compromised Matthew Van Andel's computer [non-paywalled source]
The non-paywalled source displays only the first two lines of the article with no javascript, and a paywall with it.
Fuck your paywall-only article.
These attacks are what keeps me up at night... (Score:2)
Those attacks are what worries me, because no matter what security I have, be it a PW manager, FDE, encrypted drives, a decent AV condom, running macOS as a balance between app availability and privacy, and such, all it takes is one thing like this to completely compromise everything.
Maybe we need to see about better containerization somehow, perhaps move towards the QubesOS model? That, or block the channels that infostealer malware works on, perhaps prompting the user, just in case this is something legi