Disney Employee Targeted in Password Manager Hack

Disney Employee Targeted in Password Manager Hack - Printable Version

+- we live in hell (https://weliveinhell.net)
+-- Forum: interests & hobbies (https://weliveinhell.net/forumdisplay.php?fid=10)
+--- Forum: science & technology (https://weliveinhell.net/forumdisplay.php?fid=11)
+--- Thread: Disney Employee Targeted in Password Manager Hack (/showthread.php?tid=213)

Disney Employee Targeted in Password Manager Hack - FrodoSwaggins - 02-27-2025

Matthew Van Andel downloaded an AI tool free from Github on his work computer at Disney. Before he knew it, his life was ruined. The AI tool contained a keylogger that went undetected by the antivirus provided by Disney. Worse, Van Andel's password manager 1Password did not have 2FA (2 factor authentication) set-up and so the hackers were able to gain access to his entire digital life, which was also his real life lets be honest. As a result, Van Andel lost his career, his health insurance, and is now reduced to suing Disney and trying to raise money off a GoFundMe.

https://archive.is/S4SvS

Quote:Van Andel’s digital unraveling began last February, when he downloaded free software from popular code-sharing site GitHub while trying out some new artificial intelligence technology on his home computer. The software helped create AI images from text prompts.

It worked, but the AI assistant was actually malware that gave the hacker behind it access to his computer, and his entire digital life.

The hacker gained access to 1Password, a password-manager that Van Andel used to store passwords and other sensitive information, as well as “session cookies,” digital files stored on his computer that allowed him to access online resources including Disney’s Slack channel.

Van Andel did a lot of dumb stuff here, but in the past I've made similar mistakes, and I'll bet some readers are making those same mistakes right now. The fact remains, everyone who uses technology needs to use challenging, unique passwords for every service that they use. The kind of password you can't memorize. Those passwords should be stored in a highly reputable password manager that works on computer and mobile.
All accounts, including the password manager, should be secured with 2 factor authentication. One of the most secure forms of 2 factor authentication is a USB based key system, such as Titan Key (but others are fine). Another important method to consider is an authenticator app on your smartphone. There are also different authenticator apps and some service providers (vendors) require a specific authenticator app. This is a good thing so your security isn't entirely reliant on a single app.
Cellphones should be encrypted when possible and secured with a passcode, not facial recognition or a fingerprint. The passcode should be a pain in the ass to guess, not 1,2,3,4. You can be legally compelled to provide your face or fingerprint, but passcode is harder.
Use a secure (end-to-end encrypted) messaging app such as Signal when messaging. Use 2FA with Signal and set up any security offered. Set your conversations to delete after a reasonable amount of time. Don't talk to anyone over SMS and don't get 2FA codes over SMS if you can possibly avoid those things. If Signal has to withdraw from your country, move to another secure messaging app.
Obviously, don't expect privacy or too much security when you're working on a machine owned by your employer!
Other Stuff
Questions that someone, at some point, might ask in a courtroom about the Van Andel case:
What the hell, 1Password? Why would it NOT require secure 2FA? Bad app, bad!
Session cookies? Damn, how long duration and how insecure were those Slack session cookies that the hackers were able to access so much via Disney's Slack? Maybe Slack should, I dunno, add 2FA and make people log-in periodically???
That antivirus, again, what the heck. Apparently Disney's antivirus did a terrible job detecting this keylogger.
I think Van Andel's career might never recover from this and I think he might spend a lot of time in court, but I also think that several companies had glaring insecurities in their products and services that put Van Andel at greater risk than what he could have reasonable expected (Github got some 'splainin to do too!). I hope he sues them all and get settlements that motivates every single one of them to improve their security. What a mess. And at the end of the day, Van Andel and his family are some of the most aggrieved victims here as well as the one least able to recover from the attack and I hope that a court sees them as sympathetic. Downloading free AI tools at work is dumb, but no one deserves all this for acting dumb.

RE: Disney Employee Targeted in Password Manager Hack - gorzek - 02-27-2025

Man, that's brutal.
This is a perfect example of why you don't fuck with untrusted software, especially not on your company computer.

RE: Disney Employee Targeted in Password Manager Hack - FrodoSwaggins - 02-27-2025

Google password manager offers optional "On-Device Encryption" and I have read this thing like 3x and can't pick up what they're laying down. Thoughts?
https://support.google.com/accounts/answer/11350823?hl=en

RE: Disney Employee Targeted in Password Manager Hack - gorzek - 02-27-2025

On-device encryption is almost identical to what Apple does. Essentially, there is a key that is created based on your access method (a PIN, passkey, or whatever) and it is stored only on your device. So long as you can supply the access method, combined with the key, it can decrypt the data on your phone. So, if you were to lose your access method (PIN, etc.) you would be unable to get your data back--and Google would not be able to help you, as they would not have the key, either.
This is the ultimate in security but it does come with risks since there's no cloud backup to rely on. You would need to ensure you put your own contingency plans in place such as taking your own backups (lots of apps exist to help you do this.)

RE: Disney Employee Targeted in Password Manager Hack - FrodoSwaggins - 02-27-2025

(02-27-2025, 07:15 PM)gorzek Wrote: On-device encryption is almost identical to what Apple does. Essentially, there is a key that is created based on your access method (a PIN, passkey, or whatever) and it is stored only on your device. So long as you can supply the access method, combined with the key, it can decrypt the data on your phone. So, if you were to lose your access method (PIN, etc.) you would be unable to get your data back--and Google would not be able to help you, as they would not have the key, either.
This is the ultimate in security but it does come with risks since there's no cloud backup to rely on. You would need to ensure you put your own contingency plans in place such as taking your own backups (lots of apps exist to help you do this.)

So in this example, your cellphone would become your 2FA for decryption? Or what? I'm definitely got getting it. And in this example, does Google keep backups of your passwords or not? I thought the entire point was Google is keeping your passwords in a central vault so to speak. Is it just a COPY that's encrypted on your device or the ONLY COPY?

RE: Disney Employee Targeted in Password Manager Hack - gorzek - 02-28-2025

This is the key part:

Quote:With on-device encryption, you lock up your passwords or passkeys with Google Password Manager, but you take the key with you instead. This means that only you can see your data. Just keep in mind that if you lose the key, you could lose your data too.

Only you can see your data.
This means exactly what it sounds like: if you lose your phone, the data is gone. If you forget your PIN and have no other access methods available, the data is gone.
You can use backup tools to keep copies elsewhere but, by default, your data is only on your phone and is gone forever if you lose the phone or your PIN/access method.

RE: Disney Employee Targeted in Password Manager Hack - FrodoSwaggins - 02-28-2025

(02-28-2025, 04:17 PM)gorzek Wrote: This is the key part:

Quote:With on-device encryption, you lock up your passwords or passkeys with Google Password Manager, but you take the key with you instead. This means that only you can see your data. Just keep in mind that if you lose the key, you could lose your data too.
Only you can see your data.
This means exactly what it sounds like: if you lose your phone, the data is gone. If you forget your PIN and have no other access methods available, the data is gone.
You can use backup tools to keep copies elsewhere but, by default, your data is only on your phone and is gone forever if you lose the phone or your PIN/access method.

Thanks. Great explanation. That makes the decision for me. -- I still think Google's explanation was confusing!

RE: Disney Employee Targeted in Password Manager Hack - gorzek - 02-28-2025

Their explanation was definitely confusing. I only know what it means because I'm familiar with the technology involved and I know a lot of detail about Apple's implementation (which Google's clearly mimics.)