Club Penguin Fans Hack Disney!

Kr1pt7c
2 min readJun 10, 2024

--

Ever hear of Club Penguin? Fans of this game just hacked a Disney Confluence server with the intention of stealing information about their favorite game. The hackers got a lot more than what they were looking for however, when they walked away with 2.5 GB of internal corporate data including Disney’s Corporate Strategies, Advertising plans, Internal Infrastructure, and credentials for S3 buckets and internal API endpoints, in addition to data related to the game.

Ever since the game was shut down in 2018, fans have kept it going on private servers managed by independent developers and members of the community. The intention of this attack seems to be to gain more information about the game to enhance the experience of players on these private servers. Notably, one such server “Club Penguin Rewritten” was recently sued by Disney leading to the arrest of it’s operators.

A link to the data that was acquired was published in the form of a link to an archive of 137 PDFs on the 4chan message board. This, however, is only part of the stolen data.

The club penguin data is fairly old and its release poses no major threat to the company, but the rest of the data is far more critical, some of it being data from the current year as well.

The stolen data contains information about two previously undisclosed internal developer tools called Helios and CommuniCore.

CommuniCore is a high-performance asynchronous messaging library, developed for use in distributed applications. Helios is a show authoring and playback tool which allows Disney producers and authors to create interactive non-linear experiences using real world inputs from sensors at Disney’s parks.

The most dangerous of the exposed data is a collection of links to internal websites, APIs, and S3 buckets used by Disney developers, which could be valuable for threat actors targeting the company.

--

--