Disney suffered a massive leak of employee and company information after hackers claimed that one of its software managers was the victim of Trojan malware. A whopping 1.1 terabytes of data was leaked online, including personal information and details of unreleased products such as video games. And the hackers say they are furries, citing as justification that Club Penguin was shut down in March 2017.

The so-called hacktivist group is called Nullbulge. The term is a fan art term referring to a prominent crotch bulge with an illustration of a giant lock; Nullbulge describes itself as “a hacktivist group that protects artists' rights and ensures fair compensation for their work,” and this statement of intent is accompanied by a very NSFW image accompanying it, highlighting the beast's package.

The group lists a number of things that would make the target fair game. These include “crypto promotion,” “AI artwork,” “theft in any form,” and generally anything having to do with creator compensation. Disney, of course, is in the midst of a battle over the use of AI, with CEO Bob Iger outspokenly opposing the SAG-AFRA strike for AI regulation, opposing artificial likenesses and voices for actors, and using AI technology to create future projects.

“Our hacking is not done out of malice,” Nullbulge argues, “but to punish those who steal. Big and small thefts suffer the same fate.” Big words, but at least this time they are backed up. We'll explain how it happened later, but after dropping various hints and a few small leaks, Nullbulge released all the data it stole from Disney with the following statement:

“Hello everyone, it's us again.

“Yesterday we leaked a small DB, now we leak the big one.

“1.1 TiB of data, almost 10,000 channels, every possible message and file dumped. Unpublished projects, raw images and code, some logins, links to internal APIs/web pages, etc. Have fun and sift through it all. Great for information gathering, etc.

“Never would have imagined that taking down Club Penguin's servers would cause so much shit.”

In a typical piece of Trojan malware, it appears to have been packaged with a mod for the popular game “BeamNG,” which is often seen on social media. This “mod” was downloaded by a Disney software development manager on his personal computer, which also had access to Disney's Slack channel (a popular corporate messaging system). Once the hacking group broke in, they used unknown methods to hack the same employees a second time and began downloading everything they could. The Disney employees eventually took notice and succeeded in blocking further access, but only after all of the above data had been stolen.

The tough element of this is the human aspect. This targeted employee would undoubtedly face serious consequences at work, and the hacker group went out of its way to publicly release the victim's name and other personal information in a very unsavory move. However, not only was that individual's life changed, but the group also obtained and published a tremendous amount of personal data and information about other Disney employees.

This is where hacktivism becomes somewhat sickening for my taste. We can talk all day about Disney as a corporate and cultural entity, its role in the media landscape, what is going well, what is going badly, and what needs to be held accountable. Disney's influence and size make it a target for such groups. But when the crosshairs begin to hit the lives of individuals who happen to work for Disney, in almost all cases they will not come close to the executive level where decisions are made.

I will admit that the idea of Disney getting caught with its cyber pants down is somewhat amusing. But the idea that an individual who happens to work for the company could be affected in real life is not.

This leads to a broader point about Nullbulge, namely that the group's brand name and claims should not be taken at face value. Hacktivism is a convenient justification, the furry link may be a red herring, or it may be one person rather than a team. Information security experts are particularly suspicious of the group's claim of Russian origin. Meanwhile, other online net detectives claim to have identified the individual responsible.

As you might imagine, Nullbulge's various online accounts were promptly deleted by Disney's lawyers, and the leaks are no longer readily available. They appear to contain a vast amount of internal communications, memos about employees and prospective employees, and data through 2019, including perhaps Nullbulge's biggest prize, a photo of an employee's dog.

Nullbulge sent an online message to the Wall Street Journal, stating that it targeted Disney because of “the way it handles artist contracts, its approach to AI, and its rather blatant disregard for consumers.” He said that because Disney would not comply with his demands, they released the data: if we said, “Hello, Disney, we have all your slack data,” they would immediately lock us down and try to take us out. In a duel, it's better to fire first.”

Eric Parker, a security researcher who has been following the group's online activities, told the WSJ that he believes Nulldbudge is one young man, not a group. 'He's not in it for the money,' Parker said. 'I think this is an attention-seeking activity.'

This is not the first time Disney has been hacked: Disney+ user data was hacked several years ago. However, this was a hack of a different scale, and while the information contained therein is not widely disseminated today, it is available to the public.

This is also not the first time a hacktivist group has claimed to be furry. Last year, a group of self-described gay furry hackers broke into one of the largest nuclear laboratories in the U.S. and demanded that “IRL catgirl” research begin. Coincidence or the start of a trend?

Disney issued a brief statement regarding the hack. It did not comment on the closure of Club Penguin.