A disgruntled administrator left in a kids’ gaming website a backdoor that enabled hackers to steal login data for a little over 4 million accounts.
On Friday, around 11 PM BST, email addresses, usernames and passwords stored as bcrypt hashes belonging to players of Club Penguin Rewritten (CPRewritten), an independent recreation of Disney’s Club Penguin massively multiplayer online game for kids aged 6 to 14, started to seep out from the website’s live database.
Resentful admin shuts down the game
The incident occurred because a former administrator, nicknamed Codey, left behind PHP files allowing access to the website’s database, a staff member of the game told BleepingComputer. The malicous code was hidden among regular files, to avoid detection.
Codey parted with the team in February 2018 and it was far from being a smooth separation. It appears that he kept stalking, harassing, and threatening staff members with swatting unless the game did not shut down, which happened by the end of the month.
However, the staff announced that the game would be back online in April, to the satisfaction of many, and the number of players registering for an account kept growing.
Hackers eyed valuable accounts
A current CPRewritten admin told us that the team noticed an hour later that the server’s resources were used intensively. Unknown at the time was that this behavior was caused by the intruder’s efforts to exfiltrate the user information.
This received more serious attention early the next day, at 3 AM BST. However, this window allowed the attacker(s) to steal the account data and 2.9 million IP address logs for registrations and login dates, the CPRewritten administrator said.
When the CPRewritten team took action to block the unauthorized access, the intruder was trying to damage records and steal valuable accounts with “rare virtual items” collected from the game.
These items are what attract hackers targeting game players as they grant advantages that make the avatar holding them more powerful, and can also be exchanged for real money.
The Have I Been Pwned (HIBP) data breach notification service analyzed the data and included it to their database. The total number of compromised accounts is 4,007,909.
In January 2018, CPRewritten suffered another data breach that exposed about 1.7 million unique email addresses, and usernames and brcypt hashes for passwords were exposed.
Somehow, the incident did not come to light until HIBP announced it more than a year later, in April 2019. The staff had already learned about it and had started to contact the affected users.