Paramount Film Leaks Online Amid Report on Hollywood Cybersecurity Vulnerabilities

A full version of the $80 million animated film "Legend of Aang: The Last Airbender" leaked online last week, six months ahead of its planned release on Paramount+. The leak was posted by a person in Singapore, who reportedly received it from the hacker collective Pegglecrew.

Paramount declined to comment, but a source familiar with the preliminary investigation stated that the leak did not result from a vulnerability in the company's systems. Pegglecrew has been less active in recent years but previously accessed the software hosting website Fosshub and musician Ringo Starr's Twitter account in 2016.

Two years ago, an unfinished copy of Paramount's "Saving Bikini Bottom: The Sandy Cheeks Movie" also leaked online about two weeks before its release.

A report by U.K. cybersecurity firm Red Sift analyzed California's 100 largest employers, including major film and TV studios, and found persistent vulnerabilities in the U.S. entertainment industry. The report noted that 71% of major studios have no enforced protection against email impersonation, with Universal being the only studio that actively blocks spoofed or malicious emails.

None of the major Hollywood studios use BIMI brand verification for emails, which includes an official logo to enhance trustworthiness and reduce impersonation risks. Brian Westnedge, director of alliances and partnerships at Red Sift, stated that the "Legend of Aang" incident highlights the risks for studios not addressing current cybersecurity threats.

He added that such events cause financial harm to studios and workers involved in the productions.

The report references the 2014 Sony Pictures hack by the group Guardians of Peace, which exposed executive emails and released finished movies. Since then, other incidents include the 2016 theft of a full season of Netflix's "Orange Is the New Black" by TheDarkOverlord, who released it after a ransom demand was ignored.

In 2017, a hacker known as Mr. Smith, later identified by federal authorities as working for the Iranian regime, stole content from HBO, including a script summary for an unaired "Game of Thrones" episode and episodes of other shows, demanding millions in ransom.

More recently, in 2024, a hacker named NullBudge accessed Disney's systems via a Slack attack, leading to a guilty plea by a California man the following year. The Red Sift report indicates that more than two-thirds of major studios could be impersonated via email without hacking, due to lacking protections, especially amid geopolitical conflicts and AI advancements.