Disney abandons Slack after hacker steals terabytes of confidential data using fake AI tool

A California man has admitted to orchestrating a sophisticated cybersecurity attack against Disney that led to a massive data breach and ultimately prompted the entertainment giant to abandon Slack entirely. The case highlights how seemingly innocent AI-related software downloads can serve as vehicles for credential theft, resulting in significant corporate security compromises and legal consequences.

The hack details: Ryan Mitchell Kramer, a 25-year-old from Santa Clarita, pleaded guilty to hacking Disney’s company Slack channel and stealing 1.1 terabytes of confidential information.

• The stolen data included sensitive revenue figures for services like Disney+ and ESPN+, personal information of current and prospective employees, and login credentials for cloud infrastructure access.
• Kramer created malicious software disguised as an AI art generation tool and distributed it on platforms like GitHub in early 2024.
• The breach had significant operational impact, causing Disney to completely abandon Slack as a corporate communication tool last year.

How the attack worked: A Disney employee downloaded Kramer’s malicious program between April and May 2024, unknowingly installing software that stole their login credentials.

• The malware harvested both personal and work account passwords stored on the victim’s computer.
• After gaining access to Disney’s Slack environment, Kramer collected the massive data trove and attempted to monetize the breach.
• Court documents revealed at least two other victims also downloaded the malicious file, giving Kramer unauthorized access to their computers and accounts.

The extortion attempt: Kramer contacted the Disney employee through Discord, demanding payment to prevent the release of stolen corporate data and personal information.

• The hacker posed as part of a fictional Russian hacktivist group called “NullBulge” during his extortion attempts.
• Disney worked closely with law enforcement during the investigation, leading to Kramer’s identification and eventual guilty plea.

Legal consequences: Kramer now faces maximum penalties of 10 years imprisonment and $500,000 in fines for the cybercrime.

• A Disney spokesperson told SFGATE: “We are pleased that this individual has been charged and has agreed to plead guilty to federal charges.”
• The company emphasized its ongoing commitment to working with law enforcement to ensure cybercriminals face justice.