A Disney Worker Downloaded an AI Tool. It Led To a Hack That Ruined His Life.

A Disney employee's download of an AI image generation tool from GitHub led to a massive data breach in July 2024, exposing over 44 million internal Slack messages. The software contained infostealer malware that compromised Matthew Van Andel's computer [non-paywalled source] for five months, giving hackers access to his 1Password manager.

The attackers used the stolen credentials to access Disney's corporate systems, publishing sensitive information including customer data, employee passport numbers, and revenue figures from Disney's theme parks and streaming services. The breach also devastated Van Andel personally. Hackers exposed his Social Security number, financial login details, and even credentials for his home's Ring cameras. Shortly after the incident, Disney fired Van Andel following a forensic analysis of his work computer, citing misconduct he denies. Security researchers believe the attacker, who identified as part of a Russia-based hacktivist group called Nullbulge, is likely an American individual.

Re:

[DarkRookie2]

You are just as bad as the AC.

Re:Juging by the picture

[Fons_de_spons]

When babies grow a bit older, it is time to do potty training. When they feel shit coming up, they have to learn to go to the potty and dump it all in there. Then they get happy when they get a nice sticker. The ass wiping, that is for later.
When kids go through puberty, they suddenly start to see the world in a different perspective. It causes a lot of mental shit. That's when mental hygiene starts to become important. They have to learn to use those newly acquired executive functions to sort stuff out.
It is hard at first. Mental shit flying around everywhere. But after a few years, they'll learn how to cope and dump the mental shit in an appropriate location. Slashdot for instance. Good! Sticker for you!

Re:

[Goddamnferret]

He looks exactly like a toolbag I used to know who died from liver failure, but with a really stupid mustache to "hide is identity". Guess his new one didn't work out either.

Re:WOKE Disney hires DEI people. Gets HACKED. :D

[nomadic]

My favorite thing about the word "woke" is that when someone is mad about it I can instantly dismiss them as an idiot without having to read all of their rambling stupidity.

Re:

[drinkypoo]

I'll bet you think there's nothing odd at all about virtually all Western countries suffering regular terrorist attacks by Muslim scumbags that are mostly unreported by news media.

Do you think those attacks were inspired by boredom?

Re:

[mjwx]

My favorite thing about the word "woke" is that when someone is mad about it I can instantly dismiss them as an idiot without having to read all of their rambling stupidity.

DEI has now joined that prestigious list of words which also includes "PC gone mad".

It's almost as if they know they'll be called a cunt for saying what they really want to... but don't like being called a cunt.

Re:

[Tony Isaac]

The word once had an actual meaning, mainly relating to things that are "politically correct" but make no actual sense. But it's a nicely meaningless word that can be applied to anything Fox News viewers dislike.

Re:

[Anonymous Coward]

Is being so stupid difficult? Or is easy for you because you lack the self-awareness to realize it?

Re:

[FictionPimp]

It does sound like the company is on their last legs

https://thewaltdisneycompany.c... [thewaltdisneycompany.com]
https://finance.yahoo.com/news... [yahoo.com]

I'd give them another 6 months before chapter 11.

Re:

[Anonymous Coward]

"Disney’s net income increased nearly 23% to $2.64 billion, or $1.40 per share, from $2.15 billion or $1.04 per share, during the same quarter last year."

https://www.cnbc.com/2025/02/0... [cnbc.com]

Straight from the last earnings report three weeks ago. You're saying you have more up to date info? They're tanked that much?

Re:

[FictionPimp]

ROFL the actual disney article titled "The Walt Disney Company Reports First Quarter Earnings for Fiscal 2025" is out of date? How far into 2025 do you think we are exactly?

Re:

[gweihir]

Be an idiot, make deranged postings. Like you just did.

Re:

[drinkypoo]

I'd say Disney owns your children's hearts, but it's not like anyone would fuck you

Re:

[linuxguy]

> Go woke, go broke, Disney...

This post is so high on stupid that I think it may be satire. There can't be anybody on Slashdot that is this brain-dead.

[Checks author's post history..]

OK, it turns out it is not satire. This guy is really having some issues.

So what was the "AI image generation tool" ?

[Anonymous Coward]

Article is missing what would have perhaps been the most helpful information, namely what this AI thing from GitHub actually is so that the rest of us could check to see if we have ever used it and might be compromised.

Re:So what was the "AI image generation tool" ?

[Samare]

It was the ComfyUI_LLMVISION Comfyui plugin from user AppleBotzz https://www.reddit.com/r/Stabl... [reddit.com]
Here's a decompiled & unpacked version of the malware for anyone interested: https://github.com/atericparke... [github.com]

Re:So what was the "AI image generation tool" ?

[Yoda's Mum]

How is that not suspicious to anyone even remotely rational based on name alone?

Re:

[drinkypoo]

How is that not suspicious to anyone even remotely rational based on name alone?

Clearly you aren't familiar with what software names look like for the last couple of decades or so. Virtually all of the names are suspicious. TONS of useful software is published by people using psuedonyms, as well, so neither the name of the software nor the name of the party who published it is particularly sus[picious].

I guess this makes sense, since Yoda was around long, long ago...

Re:

[Anonymous Coward]

TONS of useful software is published by people using psuedonyms, as well

Such as the Pale Moon browser.

Re:

[groobly]

Someone in the comments section of WSJ said that the culprit was probably an add-on that was malware, and it is one that is known to be malware. Sorry, I don't recall the name.

The non-paywalled link is...

[ArsenneLupin]

... basically just the title. Anybody has a link with the full story?

Re:The non-paywalled link is...

[ArsenneLupin]

A, found one: Disney engineer downloaded 'helpful' AI tool that ended up completely destroying his life [dailymail.co.uk].

Not sure it's the full available details, but at least it has much more than that "non-paywalled" source from the summary.

Re:The non-paywalled link is...

[gardyloo]

Thank you.
When the DailyMail has more actual information about something, you know the world is sorely topsy-turvy.

Yeah....

[kwelch007]

A whole lot more than just some lost passwords went wrong here.

Corporate security

[fluffernutter]

What were the security guidelines for Disney employees? Were they told not to install anything that wasn't explicitly cleared by Disney or were they allowed to use their workstation as a playground?

Re:Corporate security

[radarskiy]

"told not to install "

Disney is large enough that their IT should have the tools to *prohibit* installation.

Re:

[GoTeam]

"told not to install "

Disney is large enough that their IT should have the tools to *prohibit* installation.

It probably has something to do with the amount of control given to this "imagineer" for him to do his job. He probably had elevated permissions in their environment. That's enough to get you blocked from all but the lowest jobs in his chosen profession going forward.

Re:

[tlhIngan]

It probably has something to do with the amount of control given to this "imagineer" for him to do his job. He probably had elevated permissions in their environment. That's enough to get you blocked from all but the lowest jobs in his chosen profession going forward.

You don't need elevated permissions for things like that. You can do a lot of things without admin on Windows these days. Things like installing software can be left to the IT team to work out if and when to install it for the user. I would pr

Re:

[TheDarkMaster]

You merely want control, power over your users. Because if that weren't the case, you would know that nowadays it is much more important for the user to simply know what he is doing (or learn how to) than to trust some "miracle antivirus" or to put so many prohibitions that the user can literally only look at the computer and not be able to do any work on that computer.

Re:Corporate security

[IWantMoreSpamPlease]

That Mickey Mouse operation? Doubt it ;-)

Re:

[antdude]

Now, that is just Goofy!

Re:

[dmomo]

And at a higher level, if those prohibitions were bypassed, maliciously or innocently, the data that was accessed was not secure. One employees computer shouldn't have this much power over company data and infrastructure. The real failure is up the chain. This is a CTO-level failure.

Re:Corporate security

[msauve]

The malware was installed on a home (not work) computer, which appears to have never been connected to a Disney network.

The problem was:

The hacker gained access to 1Password, a password-manager that Van Andel used to store passwords and other sensitive information, as well as âoesession cookies,â digital files stored on his computer that allowed him to access online resources including Disneyâ(TM)s Slack channel.

How and why Disney credentials were in his personal 1Password is not explained.

Re:

[jbmartin6]

i.e. no MFA or other type of access control

Re:

[The-Ixian]

No MFA and also allowed full VPN access from an unmanaged (non-corporate) computer.

CIO/CISO should be fired too.

Re:

[PhunkySchtuff]

He very likely did not have MFA on his 1Password account.
He could very well have had MFA on every single other account he used, but if they had access to 1Password, and his MFA credentials were stored in 1Password (which is definitely a thing that it does, so it can auto-enter the TOTP code for you) then it was game over.

Re:

[SuperKendall]

He very likely did not have MFA on his 1Password account.

The article (or at least an article I read) said exactly that - the malware had a key logger, he logged into his non MFA 1Password, and boom!

It even cautioned people explicitly to set up MFA on 1password, which does seem like a great idea for a master password store, although obviously more annoying in day to day use which is why most people do not do it!

Re:Corporate security

[PhunkySchtuff]

They must have then had some more malware on his computer to gather other information - with 1Password, when you first set up your account, you're given what they call an Emergency Kit, which is a PDF that has a secret key on it. This key is not held anywhere with 1Password, you have the only copy of it.
You can not log in to a 1Password account with just the email and password, nor can you perform a password reset with just these credentials.

In order to log in to 1Password from a new device, you must have the secret key, which is long and unguessable like: A3- FSHJNM- 7T85AC-VC83W-7NTCN-457SS-BA3H1

So, either they had a full RAT on his PC or he had his Emergency Kit saved as a PDF somewhere on his PC and they were able to find the file.

Re:

[sarren1901]

You would think an engineer would know better. You would also think the IT department of such a large organization would require MFA and some other security features that are readily available.

Of course, if you export all the jobs to the cheapest bidder, you get what you pay for.

Re:

[drinkypoo]

They were allowing him to connect from his personal machine, obviously.

Whatever else is true about this story, that was a gross failure on Disney's part.

No form of BYOD is a good idea, and it never was. Work should be done on work computers only. It's cheaper to send a computer home with employees who need one than to have your network compromised.

Re:

[gweihir]

This is a large enterprise. Hence it is certain that there was an explicit prohibition on what he did as part of his employment contract. Which he signed.

Re:

[alta]

This doesn't surprise me and it scares me to death at the same time. Our administrators are usually the type to want to play around with new toys. And obviously they get privs that are dangerous. We DO a good job at not letting users log in to their machines it their admin or domain admin accounts. And we vault their admin accounts and do daily rotates. But STILL, I know of a way to get to the keys to the kingdom without a single MFA. I have a feeling others do too. We also don't like being told we c

Re: Corporate security

[fluffernutter]

Exactly, there should be a corporate password repo and a personal one. The corporate one should never be used on a personal computer.

Re:

[Bongo]

I don't know the details in this case, but generally, any admin tasks which affect important corporate servers, should be done on separate laptops which are dedicated to that and never used for anything else. No email, web browsing, none.

The idea that we have to make every corporate device super secure and safe and totally locked down, regardless of its purpose is a foolish endeavour, because it's generally impossible, and hugely distracting from simply focusing on on what matters.

Re:

[The-Ixian]

Yeah, no kidding. Why would they not have application allow listing enabled? How are users able to just run arbitrary executables downloaded from the Internet? Crazy that no security layer flagged this activity at all.

Re:

[dmomo]

Further, why isn't this being described as a failure higher up the chain?
Why should an employee have the power to cause this much destruction, even if the result of an error?
If your company can crumble because of a single lower-level employee, you have issues with your security landscape.

Re:

[UnknowingFool]

Were they told not to install anything that wasn't explicitly cleared by Disney or were they allowed to use their workstation as a playground.

In the many, many companies for which I have worked not a single one has said I can download and install whatever I want on their computers. That is when I had a dozen coworkers or thousands of workers. I can surmise a large corporation like Disney explicitly state these rules.

Perspective

[TwistedGreen]

Ruined his life, really? Sounds like a minor inconvenience and a great opportunity to sue your employer for wrongful dismissal. He may have won the jackpot.

Re:Perspective

[gweihir]

Hahaha, no. Prohibition to download and install software yourself is typically part of your employment contract. If anything, Disney could sue him for all the damage done and he would have to pay. Likely the only reason they are not doing that is because they would not recover a lot and it would be bad for their public image.

Seriously, how clueless do you have to be to make a statement like you just did?

Re:

[preflex]

Prohibition to download and install software yourself is typically part of your employment contract.

On your own computer at home?

Re:

[gweihir]

If you have work credentials stored on it (which you exceptionally likely were not allowed to), yes. Stop trying to find an angle. This guy messed up big time.

Re:

[DeanonymizedCoward]

... Disney could sue him for all the damage done and he would have to pay. Likely the only reason they are not doing that is because they would not recover a lot and it would be bad for their public image ...

Their public image kinda took a shit when they tried to EULA the guy out of a lawsuit over the death of his wife in a Disney-controlled restaurant. I'm thinking it's more likely they don't want to get the suing ball rolling, lest some of their partners, employees, etc. that had data leaked start looking at their IT security practices with that Looney-Tunes-wolf kind of interest.

Re:

[gweihir]

Probably. This guy's lucky day.

Re:

[GoTeam]

Ruined his life, really? Sounds like a minor inconvenience and a great opportunity to sue your employer for wrongful dismissal. He may have won the jackpot.

That would be assuming he is innocent. If it really was a "forensic analysis of his work computer" that turned up the evidence of his wrongdoing, I don't think he has a jackpot waiting for him...

Re:

[bws111]

Having your SSN and financial details exposed is a 'minor inconvenience'? No.

Re:Corrected headline ---

[ack154]

While your overall thinking is mostly correct... TFA says it was his home computer, not a work one.

But they were able to compromise his 1Password account on that computer, which had Disney credentials stored in it. And I don't know about you, but I'd suggest that many corporate password storage policies are not as clearcut as their software/download policies. Was it his personal 1Password account that had work credentials in it? Does Disney have recommended password storage guidelines or requirements? Was he following any of those?

Re: Corrected headline ---

[EvilSS]

If it was his corp 1password account then Disney fucked up. 1Password can do Entra SSO and you can block logins for the app from unmanaged devices or unknown networks using conditional access policies.

Idiot does Idiot things

[redmid17]

Loses his job and life in process of doing idiot things. News at 11

Dumb peope: I blame AI for this.

[Lendrick]

That's what the article is going for, anyway. They want readers to feel like AI is fundamentally insecure, when that's not what happened here.

Re:

[sarren1901]

I'm honestly surprised they published an article that was critical of AI. We get ten AI cheerleading articles a day. This one doesn't fit the narrative.

"He denies"

[gweihir]

How stupid do you have to be? These guy downloaded unauthorized software from an external source, doubtless without permission to do so, and then messed it up.

He is lucky to just have gotten fired.

Re:

[ack154]

You may have already read it in a couple of the replies above, but this wasn't his work computer. It was a personal computer at home. So not really much "unauthorized" about that or "permission" required. They got in through his then compromised 1Password account where he had apparently stored Disney credentials. Of course, should he have been storing work account info in a (assumed) non-work password manager? Don't know what Disney's policy is there.

Re:

[gweihir]

If he uses his private computer to store work credentials (which exceptionally likely was explicitly forbidden), and then does not protect it adequately, that is not better. That is _worse_. It simply adds another violation of his work contract on top.

non-paywalled? False.

[drinkypoo]

that compromised Matthew Van Andel's computer [non-paywalled source]

The non-paywalled source displays only the first two lines of the article with no javascript, and a paywall with it.

Fuck your paywall-only article.

These attacks are what keeps me up at night...

[ctilsie242]

Those attacks are what worries me, because no matter what security I have, be it a PW manager, FDE, encrypted drives, a decent AV condom, running macOS as a balance between app availability and privacy, and such, all it takes is one thing like this to completely compromise everything.

Maybe we need to see about better containerization somehow, perhaps move towards the QubesOS model? That, or block the channels that infostealer malware works on, perhaps prompting the user, just in case this is something legi

What the hell was his job at Disney?

[Zontar_Thing_From_Ve]

The article says Matthew Van Andel lost over $200,000 in bonuses. What the hell exactly was his job at Disney? A few years ago I was working for a Fortune 500 company and you'd have to be at least 2 levels above my manager - and I was a drone, not in management - to have a salary around that kind of money, let alone get those kind of bonuses. The article makes it sound like he was just some kind of average joe programmer, but he was a very highly salaried employee to have bonuses of over $200,000. Were they paying him a million or more a year in his job? What the hell exactly was he doing? He seems to have no internet history besides this report. There's no Linkedin profile for him that I could find. Does this make sense? Is it all bs and lies to get money for some kind of GoFundMe scam?

Re:What the hell was his job at Disney?

[alcmena]

As a former Disney person, I can say that level of bonus is quite possible. The way it works is via Long Term Incentive (LTI) plans. Typically they grant fairly large amounts of stock, but it vests over several years so you only get any if you stick around. That stock also rides the roller coaster of the market, so $120k in stock can become $60k if the stock halves, or $240k if it doubles. Since the LTI's are issued every year, to get $200k, that he lost, it would only need to be about $50k per year, that vests over 4 years each, assuming no movement in the stock price. That's not out of line with other large companies that work with technology. Basically, what he's complaining about is that all the "promised" stock evaporated when he got fired, even though that would have taken years for him to actually get the amount.

Re:

[mjwx]

The article says Matthew Van Andel lost over $200,000 in bonuses.

Erm... so he lost money he didn't actually have.

Something about counting chickens here, if he made any purchases or investments counting on that money he has no-one to blame but himself.

Too bad for that person, but good for Disney

[commodore73]

Force them to "open source"...

Trust

[manu0601]

That raise the question: when can we trust code from github?

Re:

[black3d]

You can't "trust" code from anywhere, ever. At least with open source, however, you're given the opportunity to review the code yourself. But no responsible organization should ever be trusting code from a third party.

Re:

[manu0601]

But no responsible organization should ever be trusting code from a third party.

Do you mean no responsible organization should run Windows or MacOSX?

More than just downloading tool

[bloodhawk]

Lots of failures here from both Disney and the employee. For start what sort of moron uses a password manager for critical accounts.

Do your employers have your passport numbers?

[Wolfier]

I never need to give mine to employers. What are the reasons Disney's employee passport numbers could be found?