Matthew Van Andel, 44, who goes by the nickname Dutch, had never heard of “nullbulge.se,” the domain name that sent the message. It appeared to be a classic phishing attempt, a prompt to get him to reply to the email with personal information. So he marked it as spam, swatting it away with a near-automatic series of clicks. Van Andel worked in technology at Disney corporate in Burbank. He loved his job at “the Happiest Place on Earth”; over his seven years at the company, he and his wife, Nicole, had become Disney adults, taking advantage of discounted park tickets with their two kids. Their house in La Crescenta, where Van Andel was working remotely when he got the email, was filled with Mickey and Star Wars and Marvel memorabilia.
Seeing his own private words on the screen, Van Andel messaged Disney’s information-security department. The emails had been sent to his personal account, which he was reading on his personal gaming PC in his home office. Info-sec told him his Slack account and work laptop appeared to be operating normally. Still disturbed, Van Andel deleted the second email. Immediately a third arrived: “You think we didn’t see you mark our first test as spam? Then our actual attempt [at] contact went right in the trash.” Van Andel felt his stomach drop. Someone had live access to his account and was watching him use it.
As an engineer, Van Andel thought he had above-average personal op-sec. He ran anti-virus software on his computer. He used Proton Mail, which encrypts messages between users. He turned on multifactor authentication for serious stuff like iCloud. For the past decade, he depended on a password manager called 1Password, which generates random, long, and complex passwords; stores them; and automatically remembers them whenever a user needs to sign in. For Van Andel, 1Password even managed his multifactor-authentication codes. But his diligent, longtime use of his password manager turned out to be Van Andel’s vulnerability. Having all that information in one handy place meant that once someone else was inside, they had a master key to every aspect of his life: his iCloud, iMessage, emails, photos, PayPal, financial information, medical records, social media, his parents’ financials. Over 1,000 accounts. The only way someone could have gotten into his email was if they had cracked his 1Password; when Van Andel realized they must have access to everything, the room began to spin.
He had no idea why the hackers had targeted him or what their plan was, whether they would drain his family’s finances or stalk his home. Eventually, after running another anti-virus program, he found a piece of malware hidden in a plug-in he had downloaded from GitHub, the open-source coding site, one day in February when he was messing around with an AI image generator. He had checked the code himself, it had looked legitimate, and others had reviewed it positively. But it seems it contained a Trojan-horse virus that gave the hackers free rein of his PC. Once inside, they just had to wait for Van Andel to log in to 1Password. From there, they were able to steal all his credentials, plus many of his multifactor-authentication codes, so every time Van Andel logged in to an app, a website, or an account, they could follow behind him. They’d had access for months.
By morning, Van Andel had received a call from Disney info-sec: The intruders had revealed themselves on a blog post celebrating the hack as NullBulge, an activist collective “protecting artists’ rights and ensuring fair compensation for their work,” according to their website. It was later reported that they were Russian furries. They had dumped the contents of Van Andel’s 1Password onto BitTorrent along with his full name — every personal log-in credential, his messages, his bank information, his medical diagnoses, his Amazon account. They’d also managed to access more of Disney’s data than just Van Andel’s Slack messages and published that too: employee Social Security numbers and Slack messages, budget spreadsheets and passport information for the company’s cruise-line workers. It was a massive breach. As people around the world tried to use the information NullBulge had posted, Van Andel’s iPhone began pinging every few seconds with attempts to get into his accounts. Someone logged in to his children’s Roblox profiles and began defacing them with Nazi screeds. Unknown callers left voice-mails. “Dude, your life is over, haha,” one said. “Just leave the country; that’s my advice. Good luck, have fun, and I hope your type 2 diabetes doesn’t get the best of you.” Van Andel raced around the house unplugging Ring cameras and Amazon Echos. Discovering every new potential violation was like learning he was bleeding from a limb he didn’t remember he had. Viscerally, painfully, he could feel the overwhelming breadth and permanence of everything he had ever recorded online, ephemeral and vital and intimate and stupid. Somehow it was only the first wave of exposure he would endure.
by Bridget Read, Intelligencer | Read more:
Image: Tracy Ma
[ed. Privacy is dead. Edward Snowden is still exiled in Russia.]
