A furry hacktivist group has breached Disney, leaked 1.1TiB of data, and says it's because Club Penguin shut down

Disney World
(Image credit: Photo by Roberto Machado Noa/LightRocket via Getty Images)

Disney has suffered a massive leak of employee and company information, after hackers claimed one of its software managers was the victim of a Trojan horse malware attack. A whopping 1.1 tebibytes of data has been leaked online, including personal information and details of unannounced products, including videogames. And the hackers say they're furries, and cite the shutdown of Club Penguin in March 2017 as justification.

The so-called hacktivist group is called Nullbulge and let me do you a favour: don't Google that word. It's one of those fanart terms referring to a prominent groinal bulge that usually has a giant lock illustration on it. Nullbulge describes itself as "a hacktivist group protecting artists' rights and ensuring fair compensation for their work," and this statement of intent is accompanied by a very NSFW image of a lion, which emphasises the beast's package.

The group lists a bunch of things that, it says, makes a target fair game. These include "crypto promotion", "AI artwork", "any form of theft", and generally anything to do with creator compensation. Disney of course is right in the middle of the fights around AI use, whether that's CEO Bob Iger's outspoken opposition to the SAG-AFRA strike fighting for AI regulation and opposing artificial likenesses of actors and their voices, or the use of AI tech in the creation of upcoming projects.

"Our hacks are not those of malice," claim Nullbulge, "but those to punish those caught stealing. Big and small theft, meet the same fate." Big talk but, on this occasion at least, it's been backed up. We'll come to how it happened shortly, but after dropping various hints and some minor leaks, Nullbudge released all the data it had stolen from Disney alongside the following statement:

"Hi there folks, it's us again. 

"Yesturday [sic] we leaked some small DB, now we leak the big guns. 

"1.1 TiB of data, almost 10,000 channels, every message and file possible dumped. Unreleased projects, raw images and code, some logins, links to internal API / web pages, and more! Have fun sifting through it, there is a lot there. Perfect for gathering intelligence and more.

"Bet they never imagined taking down Club Penguin servers would cause this much shite."

So how did this happen? A classic piece of Trojan horse malware that, apparently, was packaged up with a mod for BeamNG, a popular game often seen in social media clips that is basically about all kinds of vehicle physics and crashing things. This "mod" was downloaded by a Disney manager of software development on their personal computer, which also had access to Disney's Slack channels (a popular corporate messaging system). Once the hacking group was in, it perpetrated a second hack on the same employee through an unknown method, and began downloading everything it could. The Disney employee eventually noticed and managed to block further access, but only after all of the above data had been stolen.

The grim element of this is the human side. This employee who was successfully targeted will undoubtedly face serious professional consequences, and in an extremely unpleasant move the hacker group went out of their way to publicly name the victim and release other personal information. But as well as that individual's life being altered, the group has obtained and released a huge amount of personal data and information about other Disney employees.

This is where hacktivism gets a bit queasy, to my taste anyway. We can talk all day about Disney as a corporate or cultural entity, its role in the media landscape, what it does well and what it does terribly, and what it should be held to account for. Disney's influence and size makes it a target for such groups, but when the crosshairs start falling on the lives of individuals who happen to work at Disney, who in almost all cases will be nowhere near the executive level where decisions are made, it rather invalidates any wider ethical point the hacktivist group wishes to make.

The idea of Disney being caught with its cyber-trousers down is, I will admit, somewhat amusing. But the idea of potential real-life consequences for individuals who just happen to work for the company is not.

This gets to a wider point about Nullbulge, which is that the group's branding and claims should not be taken at face value. Hacktivism is a convenient justification, the furry links may well be a red herring, and it may just be one person rather than a team. Infosec professionals particularly doubt the group's claims of Russian origin, while elsewhere online internet sleuths are claiming to have identified the individual responsible.

As you can imagine, Nullbulge's various online accounts have been swiftly nuked by Disney lawyers, and the leak is no longer easily available. It apparently includes data going back to 2019 including enormous amounts of internal communications, notes on employees and prospective employees and, presumably Nullbulge's greatest prize, photographs of employees' dogs.

Nullbulge sent an online message to the Wall Street Journal saying it targeted Disney "due to how it handles artist contracts, its approach to AI, and it’s [sic] pretty blatant disregard for the consumer." It said the data was released because Disney was not going to respond to its demands: "If we said 'Hello Disney, we have all your slack data' they would instantly lock down and try to take us out. In a duel, you better fire first."

Eric Parker, a security researcher who has been following the group's online activities, told the WSJ he believes that Nulldbudge is not a group, but one young man. "He's not doing it for money," said Parker. "I think this is an attention-seeking exercise."

This is not the first time Disney has been hacked: Disney+ user data was hacked several years ago. But this is a hack on a different scale and, while the information therein is not currently being disseminated widely, it is out there: which for the company's employees especially must be terrible.

This is also not the first time a hacktivist group has claimed to be furries. Last year self-described gay furry hackers breached one of the biggest nuclear labs in the US, and demanded it begin researching 'IRL catgirls'. Coincidence, or the start of a trend?

Disney has issued a simple statement regarding the hack, saying only "Disney is investigating this matter." It has not commented on the shutdown of Club Penguin.

Rich Stanton
Senior Editor

Rich is a games journalist with 15 years' experience, beginning his career on Edge magazine before working for a wide range of outlets, including Ars Technica, Eurogamer, GamesRadar+, Gamespot, the Guardian, IGN, the New Statesman, Polygon, and Vice. He was the editor of Kotaku UK, the UK arm of Kotaku, for three years before joining PC Gamer. He is the author of a Brief History of Video Games, a full history of the medium, which the Midwest Book Review described as "[a] must-read for serious minded game historians and curious video game connoisseurs alike."

Read more
Mister Fantastic giving a thumbs up
A Marvel Rivals player has uncovered 'one of the most dangerous vulnerabilities a game can have' that'll let cheaters take over your PC and find your passwords
Alan Wake, a writer in a snazzy black suit, gives his all during The Herald of Darkness music video from Alan Wake 2.
The biggest gaming controversies of 2024
Redhead woman using computer laptop at home stressed with hand on head, shocked with shame and surprise face, angry and frustrated. Fear and upset for mistake.
Court documents show not only did Meta torrent terabytes of pirated books to train AI models, employees wouldn't stop emailing each other about it: 'Torrenting from a corporate laptop doesn't feel right'
The TikTok app with Donald Trump ranting behind it.
The run up to the US TikTok ban got as messy, emotional, and weird as the final days of an MMO—and now everyone's back and no one can look each other in the eye
Hacker
$1.5 billion crypto heist could be the biggest yet, more than doubling the previous record, but don't worry: The affected firm says it can take the hit
WASHINGTON, DC - NOVEMBER 13: Elon Musk listens as U.S. President-elect Donald Trump addresses a House Republicans Conference meeting at the Hyatt Regency on Capitol Hill on November 13, 2024 in Washington, DC. As is tradition with incoming presidents, Trump is traveling to Washington, DC to meet with U.S. President Joe Biden at the White House as well as meet with Republican congressmen on Capitol Hill. (Photo by Andrew Harnik/Getty Images)
'Elon is a father who gets lots of sex' somehow leads to renewed claims that Elon Musk superfan Adrian Dittmann is actually Musk himself
Latest in Security
An FBI wanted poster for alleged hacker Zhou Shuai.
US Justice Dept announces $10 million bounty on at-large 'hacker-for-hire' cabal it says targeted China critics, religious missionaries, and the Treasury
Kinzie, in an FBI jacket, uses a computer with the logo of the Third Street Saints on it
Have I Been Pwned adds over 284 million compromised passwords from latest breach
A still from a YouTube video of Senator Mark Warner speaking
Telecoms hack on US government officials is 'worst in nations history' and 'the barn door is still wide open' says senator
HDMI cable
Hackers can wirelessly spy on your display by collecting HDMI signal leaks and churning them through an AI, but I wouldn't break out the tin foil just yet
Computer code and text displayed on computer screens. Photographer: Chris Ratcliffe/Bloomberg
Forcing users to periodically change their passwords should go the way of the dodo according to the US government
An original Apple Macintosh Model M0001, as they celebrate 40th anniversary, is on display in between 2024 Apple models at the independent Apple products store chain Amac, on January 24, 2024 in Utrecht, The Netherlands. Based on the Motorola 68000 microprocessor, the Macintosh was the first successful mouse-driven computer with a graphical user interface.
Major browser providers scramble to patch an 18-year-old vulnerability affecting MacOS and Linux systems but Windows remains gloriously immune
Latest in News
Nvidia RTX 4060 Ti graphics card
Specs for Nvidia's new RTX 5050, 5060, and 5060 Ti GPUs leak out and that 5060 might actually be half decent. If it's priced right
Pipboy holds up an open padlock.
A BIOS update could be all that's stopping you or someone else from jailbreaking your old AMD CPU
Asus's new ultrawide sucks as hard as it blows
Asus' new monitors purify 90% of airborne dust from your desktop and I've definitely seen some gnarly gaming setups that would benefit
A screenshot from Sony's PlayStation 5 Pro announcement video, showing a stylized processor against a dark background with glowing lines streaming from its edges
The AMD x Sony collab gave us FSR4 and a version will appear in PlayStation next year, too, having 'already started to implement the new neural network on PS5 Pro'
Pedro Pascal as Joel in a coat in winter looking unhappy
'Don't you know what he did?': The truth comes out in The Last of Us Season 2 trailer
Aloy
'Creepy,' 'ghastly,' 'rancid': Viewers react to leaked video of Sony's AI-powered Aloy