Hackers Retaliate For Club Penguin Shutdown, Stealing 2.5GB Of Disney Data

Club Penguin, an online multiplayer game (MMO) that was in operation for over a decade, has such a dedicated fanbase that they were willing to hack Disney for more information regarding the game. Disney had shut down the MMO in 2018, however, the game continues to live on as players run and maintain private servers. This appears to be the main motivation for the hack, as any new documents could be used to enhance the unofficial version.

A poster on message board 4Chan shared a link that led to an archive of 137 PDFs of character sheets, documentation, e-mails, and other information related to Club Penguin. Unfortunately for Disney, this is only a small part of the information that was taken from their servers, as the hackers appeared to have gotten more than they bargained for.


Sources familiar with the matter told Bleeping Computer that the intruders were able to get away with 2.5GB of data that includes sensitive corporate information. company strategies, internal developer tools and internal infrastructure, and several other bits of information that were stolen alongside the Club Penguin documentation.

Most concerning is the theft of information relating to tooling and infrastructure currently in use by Disney’s developers, “including internal api endpoints and credentials for things like S3 buckets.” Having access to this kind of data will make it easier for hackers to intrude company systems in a future attack, especially as it seems that the data is as recent as this year.

The attack on Disneyk is a result of credentials being exposed at some time in the past, and were seemingly unchanged even after being released. It’s surprising that Disney didn’t have some kind of two-factor authentication considering how sensitive the information is. Hopefully the company is able to plug these security holes, and that the stolen data doesn’t cause it much harm.