Hasbro Got Hacked. Their AI Art Pipeline Was Visible From a DNS Query.

Hasbro filed an SEC disclosure today confirming a cyberattack detected on March 28. Systems are down. Hackers may still be inside. Recovery will take "several weeks." The company that owns Transformers, Dungeons & Dragons, Magic: The Gathering, Peppa Pig, Monopoly, and My Little Pony is operating on business continuity plans.

Every outlet is reporting the same thing: Hasbro got hacked, we don't know by whom, no ransomware claim yet, spokesperson won't answer questions.

We looked at the attack surface. What we found is more interesting than the breach itself.

The GenAI Pipeline

Hasbro is running an internal AI image generation platform. We found it in their public SSL certificate records — no hack required, no authentication needed, just a query to crt.sh:

ComfyUI, Fooocus, and SwarmUI are open-source AI image generation tools. ComfyUI is the industry standard for complex workflows — inpainting, ControlNet, LoRA fine-tuning, batch generation. Fooocus is the simplified interface for quick iterations. SwarmUI orchestrates multiple models in parallel.

Hasbro is using all three. In both dev and production. Behind an auth layer that — if the March 28 attackers found their way to Active Directory — is only as strong as the credentials that were compromised.

What's in the Pipeline

Think about what Hasbro generates with AI art tools:

• Transformers: Concept art for unreleased toys, movie designs, packaging

• Magic: The Gathering: Card art. MTG cards are collectible assets — unreleased card art has market value

• Dungeons & Dragons: Monster designs, rulebook illustrations, campaign art

• My Little Pony: Character designs for shows, toys, licensing

• Peppa Pig: Episode concept art, merchandise designs

• Monopoly: Themed board designs, partnership mockups

• Nerf: Product design concepts, marketing assets

In 2026, a toy company's intellectual property isn't in a filing cabinet. It's in the AI art pipeline. The models are fine-tuned on proprietary style guides. The prompt histories contain product roadmaps. The output folders contain unreleased designs that competitors, counterfeiters, and leakers would pay for.

If the attackers got to genai.hasbro.com, they didn't just get employee data. They got the creative engine.

The Full Attack Surface

Beyond the GenAI platform, Hasbro's public certificate records reveal 255 subdomains:

• jira.hasbro.com — issue tracking, project management

• artifacts.hasbro.com — build artifacts repository

• docker.artifacts.hasbro.com — Docker container registry

• test.artifacts.hasbro.com — test artifact storage

• rancher-tst.hasbro.com — Kubernetes cluster management (test)

• adfs.hasbro.com — Active Directory Federation Services

• sslvpn.hasbro.com — SSL VPN endpoint

• login.hcs.hasbro.com — HCS platform login

• cnhbrapise01.ap.hasbro.com through cnhkgapise02.ap.hasbro.com

• Hong Kong, mainland China, and APAC partner portals

• mail.hasbro.com.hk — Hong Kong email

25 dev/test/staging environments with public SSL certificates — every one a potential entry point that receives less security scrutiny than production.

The AIPM Score

We ran Hasbro through our AI Presence Management audit:

Every AI model knows Hasbro. 85 awareness, 85 recommendation — they're a $4 billion brand. But their website structure scores a 3 out of 95. Zero LD-JSON. Zero semantic HTML. The main site returns noindex, nofollow with an Incapsula WAF challenge — which means crawlers see a blank page behind a JavaScript challenge.

A company that every AI model knows, but whose own website tells crawlers to go away. The brand lives entirely on third-party knowledge — Wikipedia, news coverage, retail sites. Hasbro controls none of that narrative.

The Pattern

"Several weeks" to recover. Spokesperson won't say if it's ransomware. Won't say if there's been communication from the attackers. Systems still compromised. Business continuity plans activated.

This reads like ransomware with data exfiltration. The "several weeks" timeline, the SEC filing, the refusal to characterize the attack type — that's the playbook when a company is in active negotiation or deciding whether to pay.

No threat actor has claimed it yet. Leak site claims typically come when negotiations stall — usually 1-2 weeks after initial contact. If this is ransomware, expect a claim by mid-April.

The Jaguar Land Rover comparison in the TechCrunch report is apt. That attack stalled production for months and required a $1.5 billion UK government bailout. Hasbro's Q2 product launches — Easter toys, summer movie tie-ins, convention exclusives — are all at risk if the disruption extends.

What To Watch

1. Leak site claims — Qilin, Interlock, BlackCat remnants, RansomHub are all active against manufacturing/entertainment

2. The GenAI pipeline — if unreleased IP starts appearing on dark web marketplaces or Chinese toy manufacturer sites, the art pipeline was accessed

3. Magic: The Gathering leaks — MTG card leaks have a dedicated community. If unreleased card art surfaces, it may have come from the GenAI system rather than traditional supply chain leaks

4. China/APAC infrastructure — 25 APAC endpoints suggest significant operations. Supply chain disruption to Hasbro's manufacturing partners (mostly China-based) could compound the breach impact

We found Hasbro's AI art pipeline in their SSL certificate records. 255 subdomains. 8 GenAI endpoints running ComfyUI, Fooocus, and SwarmUI. AIPM structure score: 3 out of 95. The crown jewels of a toy company in 2026 aren't in a warehouse — they're in the prompt history of a fine-tuned Stable Diffusion model.

When we hear more about who did this, the IOCs will be in our STIX feed before the press conference ends.

The cheapest, fastest, most accurate threat feed on the internet.

275+ enterprises pulling daily. 1M+ IOCs. 17.4M indexed documents. We beat Zscaler by 43 days on NrodeCodeRAT. Starter tier $9/mo — less than any competitor’s sales demo.

Look up an IOC → · Audit your brand on AIPM → · See pricing →