A disgruntled administrator left a backdoor in a kids' gaming website that enabled hackers to steal login data for a little over 4 million accounts, announced the administrators of the website.

BleepingComputer learned that on Friday, around 11 PM BST, email addresses, usernames and passwords stored as bcrypt hashes belonging to players of Club Penguin Rewritten (CPRewritten), an independent recreation of Disney's Club Penguin massively multiplayer online game for kids aged 6 to 14, started to seep out from the website's live database.

Hackers eyed valuable accounts

A current CPRewritten admin told us that the team noticed an hour after the unauthorized access occurred that the server's resources were used intensively. Unknown at the time was that this behavior was caused by the intruder's efforts to exfiltrate the user information.

This received more serious attention early the next day, at 3 AM BST. However, this window allowed the attacker(s) to steal the account data and 2.9 million IP address logs for registrations and login dates, the CPRewritten administrator said.

When the CPRewritten team took action to block the unauthorized access, the intruder was trying to damage records and steal valuable accounts with "rare virtual items" collected from the game.

These items are what attract hackers targeting game players as they grant advantages that make the avatar holding them more powerful, and can also be exchanged for real money.

The Have I Been Pwned (HIBP) data breach notification service analyzed the data and included it to their database. The total number of compromised accounts is 4,007,909.

Users are strongly advised to change their passwords as bcrypt hashes are not immune to cracking efforts, given enough patience and computing resources.

It is unclear if the administrators of Club Penguin Rewritten informed all affected users of the breach. A notification is present on the website, as some users pointed to it on social media.

However, many users may have missed it since a link to it was not shared on the game's main communication channel (currently with almost 40,000 followers) or the one for support (followed by around 13,000); we could not find a way to reach it from the main sections of the website.

Another distribution method would be the games's Discord channel, which at the moment of writing counts close to 8,000 members. We were told that the invitation to CPRewritten Discord channel changes frequently, which makes it difficult for more players to join in.

If the individuals following CPRewritten communication through these channels are unique, the total number still adds to far less than the 4 million accounts affected by the data breach.

Resentful admin shuts down the game

The incident occurred because allegedly a former administrator, nicknamed Codey, left behind PHP files allowing access to the website's database, a staff member of the game told BleepingComputer. The malicious code was hidden among regular files, to avoid detection.

Codey parted with the team in February 2018 in what looks like a bumpy exit. He was accused of stalking, harassing, and threatening staff members with swatting unless the game did not shut down, which happened by the end of the month.

However, the staff announced that the game would be back online in April, to the satisfaction of many, and the number of players registering for an account kept growing.

Players applauded the decision

Hackers claim the breach

A hacker outfit using the Twitter name New World Order took responsibility for the CPRewritten breach a couple of days after they copied the user data. They said that they exploited this vulnerability in Adminer, a PHP-based database management tool.

Codey told us that Adminer was installed when he was still on the game, along with phpMyAdmin, and strongly denied having left backdoor access to the website.

The group said on Twitter that Codey had nothing to do with the breach and that the administrators of the game are aware of it and keep using their former team member as a scapegoat.

The hackers claim that the game managers attempted to patch the vulnerability but were not quick enough. To cover this failure, CPRewritten admins carried their work as if nothing had happened, the hackers say.

BleepingComputer tried to find out if the admins informed all users impacted by the incident but apart from our initial message, our emails to the game's addresses for reporting abuse and for user support remained unanswered.

Treating data breaches with silence was publicly criticized by numerous users. Some examples are available in the replies to HIPB's tweet about the breach, with others scattered on Twitter.

The other side of the story

Codey is one of the founders of Club Penguin Rewritten. He tells a different story about leaving the project, describing a toxic working environment where one of the team members started to display a rude conduct in front of moderators and players, many of them children. His behavior also suggested that the project may come to harm.

The former admin supports his statements with snapshots of conversations between him and Hagrid - member of the admin team, co-founder and developer of the game.

Codey denies the allegations his former colleagues make against him, saying that the reason they kicked him out of the team was that he opposed updating the game with buggy code. He very much disliked this and discussed the issue only to face the same situation all over again with the next unstable update.

"They'd publish out a very buggy update and I would remove it and tell them that I did not like how they're updating stuff without my permission or letting me know. So one day I removed a very buggy update they did which corrupted user data and they kicked me out" - Codey

Codey shared a conversation showing that Hagrid knew about the buggy updates and yet he manifested no interest in correcting the code and was ok with pushing them as they were.

As for continuously blaming him for the bad things happening to the project, Codey says it's because of his Discord channel where he makes known CPRewritten's violations of data protection laws like GDPR and COPPA.

He also defends allegations of stalking and creating distress to his former colleagues after his departure.

"A group called Pigeon Patrol kept doing that. They never gave me their addresses so I could do any of that + I do not live in the same country they are from," he told BleepingComputer, adding that he does not know the real names of the CPRewritten admins.

h/t to Marc

Neither parts may hold the whole truth, but one thing is certain: data belonging to players of CPRewritten has fallen into the wrong hands and the administrators of the game are the ones responsible for protecting it and making sure that the impact on users is minimum.

Previous breach discovered after a year

In January 2018, CPRewritten suffered another data breach that exposed about 1.7 million unique email addresses, and usernames and brcypt hashes for passwords were exposed.

Somehow, the incident did not come to light until HIBP announced it more than a year later, in April 2019. The staff had already learned about it and said that they had contacted the affected users.

This breach happened in January 2018

UPDATE [8/2/19, 20:17 EST]: The article has been heavily edited to add new information received from Codey and other sources in order to better reflect the larger context of the breach.