In a significant data breach, hacktivist group NullBulge has infiltrated Disney’s internal Slack infrastructure, leaking 1.2TB of sensitive data. This breach, posted on the cybercrime platform Breach Forums on July 12, 2024, exposes many of Disney’s internal communications, compromising messages, files, code, and other proprietary information.

    • sheogorath@lemmy.world
      link
      fedilink
      English
      arrow-up
      32
      ·
      6 months ago

      Passwords and lotsa creds. I know an infra engineer who stores all of the keys to the projects he’s involved in his message to self Slack. When I asked him about it he told me ‘when I found out that the company billed my time 5x my salary to clients I stopped caring’ and I was like OK that’s fair ¯\_(ツ)_/¯

      • douglasg14b@lemmy.world
        link
        fedilink
        English
        arrow-up
        16
        ·
        edit-2
        6 months ago

        Depends. Our engineering slack (Few thousand members) doesn’t contain secrets for a few reasons:

        1. Secret scanning
        2. We have a /secret bot that will take your secret, store it securely, and then present a GUI for each person with access to display that secret “for just that person”. And then after a set period of time it’s made inaccessible, and wiped from the infra.
        3. Training and knowledge transfer on secret security

        This has been incredibly effective. Especially the secret bot.

        Turns out that the problem with people sharing secrets is just a matter of convenience. If you make a secure way convenient then everyone tends to just use it by default.