Disney lost 44 million Slack messages. Here's what a burn button could have prevented.

In July 2024, a hacktivist group called NullBulge breached Disney's internal Slack workspace and exfiltrated 1.1 terabytes of data — nearly 44 million messages from almost 10,000 channels. Unreleased project details. Source code. Login credentials. Passport numbers of cruise line employees. All of it stored. All of it stolen.

Disney's response was dramatic: they announced they would stop using Slack entirely. But the real lesson isn't about Slack specifically. It's about the fundamental risk of storing conversations at all.

Data that exists can be breached. Data that doesn't exist cannot. This is not philosophy — it's physics.

The anatomy of a 1.1 terabyte chat breach

The Disney breach wasn't sophisticated in its method. A single compromised credential gave attackers access to Disney's Slack workspace. From there, they could access nearly every channel — including private ones — because Slack's architecture stores everything centrally and grants broad access to authenticated users.

What they found was a corporate history in chat form:

• 44 million messages spanning years of internal communication
• 18,800+ spreadsheets containing financial data, employee information, and operational details
• 13,000+ PDFs including contracts, internal memos, and planning documents
• Unreleased project timelines and creative assets
• Login credentials shared casually in channels
• Passport numbers and personal data of employees

The attackers didn't need to hack Disney's databases or penetrate their production servers. They just needed access to the place where people talked about all those things. Slack was the single point of failure that gave them everything.

Disney is not an outlier

It's tempting to dismiss this as a Disney problem — a uniquely high-profile target with a massive attack surface. But the pattern repeats across industries and company sizes:

These aren't edge cases. They're the inevitable consequence of an architecture that stores everything forever. When you accumulate years of candid, informal communication in a searchable database, you're building a breach waiting to happen.

The cost of stored conversations

IBM's annual Cost of a Data Breach Report tracks the financial impact across industries. The numbers are sobering and accelerating:

The global average breach cost hit $4.88 million in 2024 — a 10% increase from the previous year and an all-time high. In the United States, where most of these chat platforms are headquartered and used most heavily, the average was $10.22 million.

But cost-per-breach statistics undercount the damage. They don't capture the reputational cost of having your internal conversations published on the internet. They don't capture the chilling effect on candid communication when employees learn their messages are stored forever. They don't capture the legal exposure when years of casual comments become exhibit evidence.

Disney's decision to abandon Slack wasn't a technical decision. It was a recognition that the risk of accumulating years of searchable employee communication in a centralized, breachable system had become unacceptable.

The "delete" illusion

A common response to these concerns is: "I'll just delete sensitive messages." This fundamentally misunderstands how enterprise chat platforms work.

Slack's compliance export includes deleted messages. Microsoft Teams stores deleted messages in a hidden Exchange folder called SubstrateHolds. Discord preserves files on its CDN after account deletion. The "delete" button in every major chat platform is a UI feature, not a data operation. It hides the message from your screen while preserving it in the backend.

This is by design, not by accident. Enterprise customers — the ones paying for these platforms — demand data retention for compliance, legal hold, and regulatory obligations. The platforms are built to satisfy those customers, not to protect individual employees.

What a burn button actually solves

Now imagine a different architecture. Instead of storing messages in a database, BurnChat gives room admins a choice: keep the last 100 messages in RAM for late joiners, or switch to client-only mode where the server stores nothing at all. Add E2E encryption and even the server can't read messages as they relay through. Nothing ever touches disk.

And instead of a meaningless "delete" button, there's a burn button that any participant can press. When they do:

• Every message in the room is immediately wiped from memory
• Every connected user is disconnected
• The room ceases to exist
• The JavaScript garbage collector reclaims the memory
• There is nothing to recover, nothing to breach, nothing to subpoena

This isn't a better delete button. It's a fundamentally different approach to communication. The conversation existed, served its purpose, and is now physically, irrecoverably gone.

If Disney's internal conversations had been conducted on ephemeral infrastructure — no logs, no database, no persistent storage — there would have been nothing for NullBulge to steal. Not because the security was better, but because the data simply didn't exist.

The principle: you can't breach what isn't there

The cybersecurity industry spends billions on firewalls, intrusion detection, endpoint protection, and threat intelligence. All of these tools share a common assumption: that data exists and must be defended.

Ephemeral architecture challenges that assumption. Instead of building bigger walls around accumulated data, it asks: what if the data simply wasn't there?

This doesn't replace security for data that must persist — financial records, contracts, regulatory filings. But the vast majority of workplace communication doesn't fall into those categories. Brainstorming sessions, quick syncs, candid feedback, strategy discussions, sensitive HR conversations — none of this needs to exist in a searchable database for years.

The safest message isn't an encrypted message or a "deleted" message. It's a message that was never stored in the first place.