HQ/EMEAFind out how we can help your business
Club Penguin fans breached a Disney Confluence server to gain information on their favourite game but stole 2.5 GB of sensitive company data instead.
From 2005 until 2018, Club Penguin was a multiplayer online game (MMO) that included a virtual environment where players could participate in games and activities and talk with one another. The game was initially developed by New Horizon Interactive, which Disney eventually purchased.
While the game was officially cancelled in 2017 and replaced by Club Penguin Island in 2018, the game can still be played on private servers operated by fans and independent devs. Despite Disney’s opposition to a more prominent ‘Club Penguin Rewritten’ replica, which resulted in the arrest of its owners, secret servers continue to be used by thousands of gamers.
Club Penguin fans hacked Disney.
Earlier this week, an anonymous user posted a link to “Internal Club Penguin PDFs” on the 4Chan message board with the simple statement, “I no longer need these:).”
The link takes users to a 415 MB collection with 137 PDFs, including old internal information about the game, such as correspondence, design schematics, paperwork, and character sheets. All this data is at least seven years old, making it interesting to fans.
Separate research also discovered that the game’s data is a small portion of a much bigger data set stolen from Disney’s Confluence server. This server stores documentation for different business, software, and IT initiatives used internally by Disney.
However, a source disclosed that Disney’s Confluence servers were compromised using previously leaked passwords. According to the insider, the threat actors initially sought Club Penguin data, but they ended up obtaining 2.5 GB of data about Disney’s corporate strategies, advertising plans, Disney+, internal developer tools, commercial projects, and infrastructure.
On the other hand, a research group has acquired documentation on various efforts and projects and information on internal development tools known as Helios and Communicore that had yet to be made public.
Researchers also stated that the original Club Penguin PDFs circulated on 4Chan were taken several weeks ago. However, the Disney corporate data has been obtained much earlier, including texts about a document generated by Confluence earlier this month.
Disney has remained silent about the incident and has yet to disprove or confirm the allegations that occurred within their servers.
