A Disney Worker Downloaded An AI Tool That Led To A Costly Cyberattack

A simple software download turned into a nightmare for Matthew Van Andel, a former Disney employee. A cyberattack stole his personal information, and ultimately cost him his job, as first reported by The Wall Street Journal (WSJ).

Van Andel unknowingly invited the hacker into his system last February when he downloaded AI image-generation software from GitHub. Hidden within the program was an infostealer, malware designed to extract login credentials and other sensitive data, as reported by WSJ.

GitHub, a widely used platform for sharing code, has recently also been exploited by cybercriminals through fake repositories that spread malware worldwide. Attackers use AI-generated documentation and frequent updates to make these malicious projects appear legitimate, tricking developers into downloading harmful software.

Over the following months, the attacker gained access to Van Andel’s password manager, 1Password, as well as session cookies—digital tokens that bypass login credentials for online accounts.

This granted the hacker unauthorized entry into Disney’s Slack workspace, where millions of messages, internal documents, and even private employee and customer information were stored.

WSJ reports that Van Andel remained unaware of the breach until July 11, when he received a cryptic message on Discord referencing a conversation he had in Disney’s Slack channel. Soon after, his credentials were used to leak 44 million messages online, exposing Disney’s internal communications and financial data.

The fallout was swift. Disney launched a cybersecurity investigation, confirming the exposure of confidential customer details, employee passport numbers, and revenue figures from its streaming and theme park divisions. The company later announced plans to phase out Slack as a collaboration tool, reports WSJ.

For Van Andel, the attack didn’t stop at work. The hacker stole his credit card information, leaked his Social Security number, and even published credentials that could access security cameras in his home. “It’s impossible to convey the sense of violation,” said Van Andel, as reported by WSJ.

His digital accounts were hijacked, his children’s Roblox profiles were compromised, and strangers flooded his social media with offensive messages. The hacker, initially claiming to be from a Russia-based hacktivist group, later turned out to be an individual operating under the alias “Nullbulge.”

Days after the breach, Disney terminated Van Andel’s employment, citing forensic evidence of inappropriate material on his company-issued laptop—an allegation he denies.

“Mr. Van Andel’s claim that he did not engage in the misconduct that led to his termination is firmly refuted by the company’s review of his company-issued device,” a Disney spokesperson stated.

Van Andel has since filed a legal claim against Disney, seeking compensation for lost wages and damages. Meanwhile, he continues to battle the lingering effects of the cyberattack, as stolen credentials linked to his accounts remain active in underground markets.