Site icon Sophos News

4 million Club Penguin Rewritten accounts exposed in breach

Last Friday, the hugely popular gaming site Club Penguin Rewritten (CPRewritten) suffered a data breach that exposed four million user accounts.

Having account data including email addresses, usernames, IP addresses and passwords hacked is bad enough in any event but this was made much worse by the fact it came on the back of a separate breach in January 2018 affecting 1.7 million accounts, made public more than a year later.

The cause of the latest breach? According to someone connected to CPRewritten who contacted news site Bleeping Computer this week, the hack happened after hackers accessed a hidden PHP database back door put there by a former site admin last year.

It’s a version of events that both the individual concerned, and a hacking group that’s claimed responsibility for the hack, both strenuously deny.

The New World Order group who claim credit for the breach say they compromised the site using a vulnerability in the Adminer database administration tool. Regarding the admin’s involvement, they tweeted this:

…he had nothing to do with it. CPR admins know who we are, we’re responsible for the database breaches of many other CPPSes.

July breach

CPRewritten launched in 2017 in order to continue the earlier Club Penguin (CP), which was shut by owners Disney in the same year.

A year later it was announced that Club Penguin, too, would be closing, a decision that was reversed a month later after extra funding was found.

The breach is believed to have begun at around 11pm BST last Friday, about an hour after which an admin noticed that the server’s resources were being used heavily.

CPRewritten only realised that this was connected to a breach the next day. By the time it took defensive measures, they claim the hackers had already tried to…

…damage records and steal valuable accounts with rare virtual items [exchangeable for money] collected from the game.

What to do

The first task is to change the account password, something the site will presumably require users to do anyway when they next log in (as far as we can tell, the ‘Padlock’ two-factor authentication is not yet available to turn on).

The fact that the data hashes were stored using Bcrypt will be seen as good news. However, this isn’t a magic shield and might still be vulnerable to attackers with enough time on their hands.

Both breaches suffered by the site were made public by the Have I Been Pwned? (HIBP) breach notification site that can also now deliver alerts of new incidents in Mozilla Firefox.

Exit mobile version