Hacker's Corner: The Disney Slack Breach: One Employee, One App, One Terabyte Lost

Inside the breach, the malware, and the mistake that opened the door

When a Disney employee downloaded an AI art tool from GitHub, they weren’t trying to cause a breach. But that single act of Shadow IT opened the door for a hacker known as “NullBulge” to infiltrate nearly 10,000 Slack channels and exfiltrate over 1 terabyte of confidential data.

This wasn’t a technical failure—it was a visibility failure.

In this month’s Hacker’s Corner, we break down the Disney Slack breach, how it happened, and why Zero Trust might have been the only thing that could’ve stopped it.

It started with a single download.

Not a nation-state attack. Not a zero-day exploit. Just one developer, sitting at their desk at Disney, who wanted to try out a new AI art generator they’d seen trending on GitHub.

A harmless experiment—until it wasn’t.

What followed was one of the most revealing breaches of 2024: over 1.1 terabytes of internal Disney communications and assets quietly siphoned out of the company’s Slack workspace. Thousands of private channels, confidential conversations, unreleased projects—all gone. And it all began with what cybersecurity professionals call Shadow IT: software and services installed outside the watchful eye of IT.

“NullBulge” and the Day Slack Turned Toxic

The attacker didn’t use sophisticated exploits. He didn’t need to. Operating under the alias NullBulge, the hacker simply waited for opportunity to knock—and a Disney employee opened the door wide.

The door came in the form of a GitHub-hosted tool: an AI art generation application with no formal security review, no vendor validation, and—crucially—no IT authorization. The employee ran it on a company-managed laptop, giving the malware baked inside just enough room to breathe.

From there, it did what malware does best: creep.

It harvested cached credentials. Password manager vaults. API keys. Tokens. The most valuable prize? Access credentials to Disney’s internal Slack environment.

Once inside, NullBulge wasn’t in a rush. He lurked, monitored, and escalated access. Over time, he scraped Slack channels—nearly 10,000 of them, covering every department from legal to animation to executive strategy. And Disney had no idea. Slack, like so many modern collaboration tools, lacks robust logging and detection by default—especially if it’s treated as a productivity tool, not a protected one.

Why It Worked: The Shadow IT Blind Spot

Disney had solid cybersecurity. This breach didn’t happen because their systems were wide open—it happened because an unvetted app bypassed the perimeter entirely.

This is the very definition of Shadow IT: any software, service, or device used without explicit approval from the IT or security team. It’s rampant across industries, and for companies like Disney—where creativity thrives and innovation is encouraged—it’s particularly hard to rein in.

But here’s the problem: every unsanctioned app is an unmonitored risk.

By the time NullBulge had scraped 1TB of data and posted snippets on public forums, the damage was irreversible. Disney was forced to shut down internal Slack use entirely and begin an expensive pivot to another communication platform. Internally, teams had to reevaluate how they managed authentication, application access, and endpoint trust.

Externally, the story became a case study for what happens when productivity and security stop talking to each other.

A Breach That Broke the Fourth Wall

This wasn’t just a breach—it was a revelation.

Inside the exfiltrated Slack data were unreleased storyboards, legal strategy discussions, early-phase intellectual property, private executive conversations, and even links to third-party vendor systems. The fallout didn’t stop at Disney. Any partner organization that had once shared a Slack Connect channel with Disney was now asking: “Was our data part of this too?”

Here’s where the real lesson surfaces: Slack was never the attack vector. It was the staging ground.

The malware didn’t need to punch through Disney’s firewall. It didn’t need a zero-day. It just needed an employee to run code they downloaded themselves.

Compliance in the Crosshairs: HIPAA, CMMC, and the Legal Shadow

For those operating under frameworks like HIPAA, NIST CSF, or CMMC 2.0, the implications of this kind of Shadow IT event are chilling.

Under HIPAA, ePHI can’t be stored or transmitted through unverified channels. If the same kind of app had been used in a healthcare setting, and patient records ended up in a compromised Slack channel, fines and audits would follow fast.

CMMC 2.0 requires companies working with the Department of Defense to enforce strict control over what software is allowed to run. The breached AI tool would’ve failed any application whitelisting check. And if any Controlled Unclassified Information (CUI) made its way into the breach? That’s a certification-level violation.

And for businesses working under the NIST Cybersecurity Framework? This attack highlights the breakdown in the “Identify” and “Protect” functions—specifically, failure to maintain accurate software inventories and control access to sensitive collaboration platforms.

What Disney Could Have Done Differently

This isn’t about blame. This is about architecture. Disney had policies—but policies alone don’t stop breaches.

What could’ve made the difference?

Zero Trust Architecture.

Under a true Zero Trust model, every app, user, and device is considered untrusted by default. Running unknown code? That app never gets access to corporate credentials or tokens. Trying to exfiltrate data from Slack? That traffic gets flagged, blocked, or at least logged. Accessing from an unknown device? The request gets challenged or isolated in a microsegment.

Zero Trust doesn’t stop you from using AI tools. It makes sure they don’t own your company in the process.

The Takeaway: Shadow IT Isn’t a Tech Problem. It’s a Visibility Problem.

Every company has a Shadow IT problem. The only difference is: some know it, and some haven’t seen it yet.

The Disney breach shows how even world-class organizations can be brought down by something as small as a GitHub repo and a curious employee. It’s not about malicious insiders—it’s about unintentional gaps in control.

Shadow IT will always exist. But if you know where to look—and put the right architecture in place—you can stop it from becoming your next headline.

Because sometimes, the most dangerous software in your company…

…is the one no one asked permission to install.

Want to know how your organization stacks up against Shadow IT?

Let’s talk Zero Trust, endpoint control, and how to prevent your Slack from becoming the next exfiltration pipeline.