How’s the very concept of a nightmare scenario.
Matthew Van Andel installed a free AI application in his home business in February 2024. The Southern California-based engineer discovered five months later that the game had an unexpected additional part: an infostealing tool that gave insiders full access to his computer.
Moreover: The best login managers of 2025
According to Robert McMillan and Sarah Krouse, a man who claimed to be a member of an anti-AI advocate group that targeted Van Andel’s company, the Walt Disney Company, was in charge of the malware.
The thief gained access to 1Password, a password-manager that Van Andel used to store passwords and other sensitive information, as well as” program biscuits”, digital files stored on his computer that allowed him to access online resources including Disney’s Slack network.
( If you don’t have a WSJ subscription, you can read ,  , with no barrier at MSN. )
Van Andel told the WSJ he reported the breach to Disney’s security team quickly, filed a police report, and then spent several days changing all of his credentials. To retaliate, the hackers packaged up more than a terabyte of material from Disney’s internal Slack channels and ,  ,– 44 million messages– online. According to Disney’s cybersecurity team, the dump included “private customer information, employee passport numbers, and theme park and streaming revenue numbers”.
How to stop it: A new Android feature is scanning your photos for” sensitive content.”
The attackers also published every personal detail they had about the 42-year-old engineer, including credit card numbers, his medical history, and all of those 1Password logins.
Van Andel lost his job after Disney’s forensic examination allegedly revealed that he had accessed pornographic material on his work laptop in violation of company rules. ( Van Andel denies that accusation. )
The WSJ article goes into great detail about 1Password, pointing out that the victim had not activated for 1Password itself, and that he had been using the to store keys for a number of websites.
Does this imply that his choice of password manager contributed to what he is currently experiencing? Should you reevaluate your approach to managing passwords after reading this story?
Also: Google now lets you delete personal info directly from Search- here’s how
In this case, it’s hard to assign any fault to the password manager. Bad guys had unrestricted access to his computer for five months! Even if the usernames and passwords were manually entered into the keyboard logger, he was able to steal every set of credentials he used at the time. After the 1Password database was unlocked, they could have simply exported an unencrypted copy of the database using their remote access.
The attackers were also known to steal session cookies, which allowed them to log into accounts remotely as authenticated users. That’s the most likely explanation for how the company’s Slack communications were compromised. Even if the PC’s owner had only used phishing-resistant 2FA codes or prompts managed on a different device, this would still have been the case.
The attackers never touched 1Password’s servers, and there’s no evidence that they were able to crack the encryption that protected that database. Any password manager program would have experienced the same results.
No, the victim actually installed malware on his computer after downloading an untrusted piece of software. If he had been aware of the takeover within the first few days, the damage might have been less severe, but nothing so far as I can recall raising alarms. And it was all over once the hackers realized they had hired a Fortune 50 company’s highly paid engineer.
It’s worth noting that this compromise occurred on the victim’s personal device, where he had access to Disney Slack channels, but his work device was reportedly untouched by the infostealer. Most large corporations have security measures in place to stop users from installing arbitrary software on their computers. This episode serves as a good illustration of the limitations that apply, as well as the never-wisening reason to install untrustworthy executables on personal devices.
Also:
I was persuaded by one aspect of this story to reevaluate my online security settings, particularly those for accounts that use 2-factor authentication. I’m at ease using my password manager to generate one-time passcodes for many accounts, but not for high-value credentials like those that allow me to access bank and credit card accounts, authentication services like ID, which are not available through my main email provider. me and login. gov. For those, I insist on using a separate authentication device or a that’s tied to my PC’s biometrics.
Every online security decision involves tradeoffs. For every website that needs them, strong, unique passwords can be easily created using a password manager, and those passwords can be securely synced across multiple devices. That would be impossible to do manually. That tradeoff appears to be worthwhile, and it is crucial to secure that password database with a strong password and its own 2-factor verification.
And if your corporate IT department occasionally acts overly cautious, they might be trying to avoid a similar nightmare.