The stranger messaging Matthew Van Andel online last July knew a lot about him—including details about his lunch with co-workers at Disney from a few days earlier.
His mind raced; he knew no one outside Disney would have access to that information. How did the person messaging him on chat forum Discord know what he had said in a private workplace Slack channel?
“I have gained access to certain sensitive information related to your personal and professional life,” another Discord message said. Van Andel realized he had been hacked.
The next morning, the lunchtime Slack exchange became one of more than 44 million Disney messages from the workplace collaboration tool published online by a cryptic hacking group with murky motivations. The hacker had used Van Andel’s login credentials to steal from his employer.
The hack sent Disney’s cybersecurity team in motion to assess the damage. Private customer information, employee passport numbers, and theme park and streaming revenue numbers were in the huge data dump.
The breach upended Van Andel’s life. The hacker stole his credit card numbers and racked up bills—and leaked his account login details, including those to financial accounts. The attacker published Van Andel’s personal information online, ranging from his Social Security number to login credentials that could be used to access Ring cameras within his home.
“It’s impossible to convey the sense of violation,” said Van Andel, a 42-year-old father of two boys.
A few weeks later, Van Andel, nicknamed Dutch, was also out of a job. After a forensic analysis of his work computer, Disney fired him, telling him it found he had accessed ographic material on the device. Van Andel denies accessing on his work computer.
“Mr. Van Andel’s claim that he did not engage in the misconduct that led to his termination is firmly refuted by the company’s review of his company-issued device,” a Disney spokesman said in a statement.
Disney said in an August regulatory filing that it was investigating the incident and that it wasn’t expected to have a material impact on its operations or financial performance. The company told employees after the hack that it planned to move away from Slack in an effort to streamline its collaboration tools.
Van Andel’s experience is a cautionary tale for companies—and individuals—of how vulnerable they are to opportunistic hackers.
During the pandemic, companies quickly made sure workers could access systems from home—and hackers soon realized home computers had become corporate back doors.
Hackers have built a variety of malicious tools, called infostealers, that hide in software that people download from the internet. The hackers swipe their credentials, which are resold online.
Stolen credentials were used in nearly 40% of financially motivated cyber intrusions last year, up from half that rate in 2022, according to Google’s Mandiant group, which investigates cyber intrusions.
Van Andel’s digital unraveling began last February, when he downloaded free software from popular code-sharing site GitHub while trying out some new artificial intelligence technology on his home computer. The software helped create AI images from text prompts.
It worked, but the AI assistant was actually malware that gave the hacker behind it access to his computer, and his entire digital life.
The hacker gained access to 1Password, a password-manager that Van Andel used to store passwords and other sensitive information, as well as “session cookies,” digital files stored on his computer that allowed him to access online resources including Disney’s Slack channel.
Van Andel learned he had a problem at lunchtime on Thursday, July 11, when he saw the Discord message from the stranger.
He thought it was a scam and almost deleted it, but read on and saw the reference to his Disney Slack conversation.
Van Andel called Disney’s “fire team,” a corporate group set up to quickly respond to cyber threats. They confirmed that his Slack account had been breached, but saw nothing suspicious on his corporate laptop and told him to check his personal devices.
His antivirus software hadn’t turned up anything on his PC, but he installed a second antivirus program that found the malware almost immediately.
The hacker said he was part of a Russia-based hacktivist group. He had been on Van Andel’s computer for five months.
Since the hack, security researchers say that Nullbulge is most likely a single person and an American.
While Van Andel was on the phone with Disney’s response team, the hacker sent an email that made it clear he had access to Van Andel’s personal email account.
He complained that Van Andel had marked his first message as spam and that he then put the second one into the trash. The hacker warned of a new stage of his campaign.
“Respond, do what we want, or end up on the net,” the hacker said.
As far as Van Andel knew, there was only one way the hacker could have gained access to his email: 1Password, the software he had used to secure his digital life.
The next few days passed in a blur; Van Andel reset the hundreds of credentials stored in his 1Password.
The hacker made good on his threat the next morning and published online every 1Password login credential Van Andel had stored.
His children’s Roblox accounts were hijacked. His online social-media accounts were filled with offensive language from strangers who used the leaked credentials.
Many of these accounts, including email, were protected by two-factor authentication. The hacker needed more than a username and password to break into two-factor accounts. People often use a text message or a mobile phone app, but Van Andel’s second factor was 1Password.
As he investigated his break-in, Van Andel realized that the key to his kingdom—the 1Password account—wasn’t itself protected by a second factor. It required just a username and password by default, and he hadn’t taken the extra step of turning on two-factor authentication.
Once someone has a keylogging Trojan program on his or her computer, “an attacker has nearly unrestricted access,” a 1Password spokesman said.
A marketplace for stolen credentials has blossomed in recent years, as have the hacking tools designed to steal them, cybersecurity experts say.
Van Andel barely slept or ate, and he has suffered panic attacks. Soon after he filed a police report, the hacker posted his personal information online. He started getting phone calls from media outlets and received creepy calls and text messages from strangers.
Eleven days after the ordeal began, a representative from Disney’s human resources department called to say Van Andel was fired in light of the laptop examination’s findings. “I’m the one who got hacked,” he told the HR representative.
His health insurance was terminated, and he lost about $200,000 in bonuses.
Van Andel is trying to get his life back. He has found contract work to help pay the bills, and his sister set up a GoFundMe campaign to help with expenses.
On Dec. 19, his lawyer sent a demand letter to Disney seeking an eight-figure settlement for lost wages and emotional distress.
Van Andel said he still sees signs online that people are trying to use the stolen credentials Nullbulge published to break into his accounts.
