Club Penguin Rewritten breach caused by rogue admin backdoor

Last Friday, the hugely popular gaming site Club Penguin Rewritten (CPRewritten) suffered a data breach that exposed four million user accounts.

Having account data including email addresses, usernames, IP addresses and passwords hacked is bad enough in any event but this was made much worse by the fact it came on the back of a separate breach in January 2018 affecting 1.7 million accounts, made public more than a year later.

The cause of the latest breach? This, it seems, is where the story enters even darker territory.

According to someone connected to CPRewritten who contacted news site Bleeping Computer this week, the hack happened after hackers accessed a hidden PHP database back door put there by a former site admin last year.

Defending against breaches caused by vulnerabilities or misconfigurations is hard enough but stopping hackers from abusing a weakness put there deliberately is unplayable unless it is detected first.

Identified only as ‘Codey’, this individual is said to have departed in February 2018 in strained circumstances that included alleged harassment of other staff.

July breach

CPRewritten launched in 2017 in order to continue the earlier Club Penguin (CP), which was shut by owners Disney in the same year.

A year later it was announced that Club Penguin, too, would be closing, a decision that was reversed a month later after extra funding was found.

It is claimed that the rogue admin wanted the site to close at that time for reasons that aren’t explained.

It’s not known who exfiltrated the data of four million accounts last week, but they clearly knew what they’d come for.

The breach is believed to have begun at around 11pm BST last Friday, about an hour after which an admin noticed that the server’s resources were being used heavily.

CPRewritten only realised that this was connected to a breach the next day. By the time it took defensive measures, the hackers had already tried to…

…damage records and steal valuable accounts with rare virtual items [exchangeable for money] collected from the game.

What to do

The first task is to change the account password, something the site will presumably require users to do anyway when they next log in (as far as we can tell, the ‘Padlock’ two-factor authentication is not yet available to turn on).

The fact that the data hashes were stored using Bcrypt will be seen as good news. However, this isn’t a magic shield and might still be vulnerable to attackers with enough time on their hands.

A bigger concern might be communication.

Both breaches suffered by the site were made public by the Have I Been Pwned? (HIBP) breach notification site that can also now deliver alerts of new incidents in Mozilla Firefox.

Or, if you like, the first breach took over a year to become public knowledge via a third-party and it’s still not clear what if any steps CPRewritten has taken to publicise last week’s incident beyond sending an email.

What users might value more is a clear explanation of what was compromised and how it happened from the horse’s mouth – not to mention more information on the steps being taken to stop it happening again.