4 million Club Penguin Rewritten accounts exposed in breach

Last Friday, the hugely popular gaming site Club Penguin Rewritten (CPRewritten) suffered a data breach that exposed four million user accounts.

Having account data including email addresses, usernames, IP addresses and passwords hacked is bad enough in any event but this was made much worse by the fact it came on the back of a separate breach in January 2018 affecting 1.7 million accounts, made public more than a year later.

The cause of the latest breach? This, it seems, is where the story enters even darker territory.

According to someone connected to CPRewritten who contacted news site Bleeping Computer this week, the hack happened after hackers accessed a hidden PHP database back door put there by a former site admin last year.

Identified only as ‘Codey’, this individual is said to have departed in February 2018 in strained circumstances that included alleged harassment of other staff.

It’s a version of events that both Codey, and a hacking group that’s claimed responsibility for the hack, both strenuously deny.

The New World Order group who claim credit for the breach say they compromised the site using a vulnerability in the Adminer database administration tool. Regarding Codey’s involvement, they tweeted this:

…he had nothing to do with it. CPR admins know who we are, we’re responsible for the database breaches of many other CPPSes. They can’t always use Codey as an escapegoat.

July breach

CPRewritten launched in 2017 in order to continue the earlier Club Penguin (CP), which was shut by owners Disney in the same year.

A year later it was announced that Club Penguin, too, would be closing, a decision that was reversed a month later after extra funding was found.

It is claimed that the rogue admin wanted the site to close at that time for reasons that aren’t explained.

The breach is believed to have begun at around 11pm BST last Friday, about an hour after which an admin noticed that the server’s resources were being used heavily.

CPRewritten only realised that this was connected to a breach the next day. By the time it took defensive measures, they claim the hackers had already tried to…

…damage records and steal valuable accounts with rare virtual items [exchangeable for money] collected from the game.

What to do

The first task is to change the account password, something the site will presumably require users to do anyway when they next log in (as far as we can tell, the ‘Padlock’ two-factor authentication is not yet available to turn on).

The fact that the data hashes were stored using Bcrypt will be seen as good news. However, this isn’t a magic shield and might still be vulnerable to attackers with enough time on their hands.

A bigger concern might be communication.

Both breaches suffered by the site were made public by the Have I Been Pwned? (HIBP) breach notification site that can also now deliver alerts of new incidents in Mozilla Firefox.

Or, if you like, the first breach took over a year to become public knowledge via a third-party and it’s still not clear what if any steps CPRewritten has taken to publicise last week’s incident beyond sending an email.

What users might value more is a clear explanation of what was compromised and how it happened from the horse’s mouth – not to mention more information on the steps being taken to stop it happening again.