Cyber Incident Victim: Club Penguin Rewritten
Date:
Jul 2019
Location:
United Kingdom
Summary
A disgruntled administrator implanted a backdoor in a children's gaming website, enabling attackers to steal login credentials—including email addresses, usernames, and bcrypt-hashed passwords—along with 2.9 million IP address logs from over 4 million accounts. The intruders attempted to corrupt records and hijack accounts containing rare virtual items with potential real-world value, exploiting a legacy access point hidden by the former staff member following a contentious departure. This incident followed an earlier breach affecting 1.7 million accounts that remained undisclosed for over a year, with the operators failing to adequately notify most affected users due to ineffective communication through their limited support channels.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On July 26, 2019, around 11 PM BST, unauthorized access to Club Penguin Rewritten's live database began leaking email addresses, usernames, bcrypt-hashed passwords, and 2.9 million IP address logs tied to user registrations and logins. The CPRewritten team detected the breach at 3 AM BST the following day but not before attackers exfiltrated data from 4,007,909 accounts. During the intrusion, the threat actor attempted to corrupt records and steal accounts possessing rare virtual items, which conferred in-game advantages and real-world monetary value. The breach was attributed to a backdoor planted by a former administrator known as "Codey," who had inserted malicious PHP files into the site’s infrastructure before departing the team in February 2018. These files enabled direct database access and were concealed among legitimate code to evade detection. Have I Been Pwned (HIBP) later validated and cataloged the stolen dataset, urging users to change passwords due to the risk of hash cracking. CPRewritten administrators blocked further unauthorized access upon discovery and posted a breach notification on their website, though they did not proactively disseminate it through primary communication channels like their Twitter accounts (with approximately 40,000 and 13,000 followers) or their Discord server (with roughly 8,000 members at the time).
The incident marked the second major breach for CPRewritten, following a January 2018 compromise that exposed 1.7 million email addresses, usernames, and password hashes. The 2018 breach remained undisclosed until HIBP reported it in April 2019, though CPRewritten staff claimed they had notified affected users. Codey’s exit from the team in February 2018 was contentious, with allegations of harassment, stalking, and swatting threats against staff unless the game shut down, which it temporarily did before relaunching in April 2018. The backdoor he implanted operated undetected for over a year, enabling the 2019 breach. CPRewritten’s post-breach communication gaps left many of the 4 million affected users uninformed, as the website notice lacked prominent promotion and alternative channels reached only a fraction of the player base. The stolen IP logs and account details heightened risks of credential-stuffing attacks and targeted harassment, particularly given the game’s young demographic (ages 6–14). No evidence suggested CPRewritten implemented additional safeguards beyond password resets and access revocation during either breach.