Hackers Exploited a PC Driving Sim to Pull Off Massive Disney Data Breach

BeamNG.drive is one of the world’s most popular driving simulators for good reason. While racing fans can appreciate its driving mechanics and environments, those with less patience or driving skill can find enjoyment in its unrivaled crash physics. Unfortunately for Disney, one of its higher-ups is (or was) a BeamNG fan who wasn’t careful enough with data security—and accidentally turned the game into a vector for hackers to pull off a major data heist.

The hackers behind the event are self-described furry hacktivist collective Nullbulge, which is apparently some kind of pornographic term. According to PCGamer, Nullbulge published a mod for BeamNG that contained a Trojan, or a kind of malware that allowed Nullbulge to remotely access computers it was activated on. One of the people to unwittingly install it was a Disney software development manager, who also had the company’s Slack channels active on the same computer.

Through unspecified means, hackers used this access to begin downloading everything they could from Disney. Data transfers reportedly included everything from employees’ personal info to assets for unannounced video games in development. In total, over one terabyte of data was pilfered before the Disney employee noticed and cut off the flow. But the damage had already been done.

The hackers (or solo hacker, as some believe) told The Wall Street Journal that the hack was revenge for the 2017 shutdown of children’s online game Club Penguin back in 2017. They also claimed to target Disney for attempting to lock down eternal rights to performers’ likenesses and voices, so they can keep making the same damn superhero movies until the sun burns out. The group’s motivations, however, don’t really add up, especially given how the mod was likely delivered.

Convincing a tech professional with computer literacy that presumably far exceeds the average person’s to install a piece of software seems like a hard sell. Meanwhile, booby-trapping a game mod and catching anyone who comes along seems like a more effective way to deliver malware. In all likelihood, this was a combo of bad luck and letting one’s guard down, rather than a targeted attack against Disney.

As for BeamNG, the game itself isn’t inherently a security risk—but any third-party mod is. Just like when you modify your car, you can’t throw random, unvetted parts at it and expect for the best. You wouldn’t order a turbo off Temu, would you? Actually, don’t answer that.

Got a tip or question for the author? You can reach them here: james@thedrive.com