Club Penguin Rewritten (CPRewritten) is an independent recreation of Disney's Club Penguin multiplayer online game for kids aged 6 to 14. It launched in 2017 in order to continue the earlier Club Penguin (CP), which was shut by owners Disney in the same year. In January 2018, it suffered a data hack, which exposed almost 1.7 million unique email addresses. Now is the second breach in two years.

On July 27, 2019, the admin team noticed an hour after the unauthorized access. Then they quickly judged the behavior was caused by hackers to exfiltrate the user information. The website's admin figured out the hacking in hours, but this time window allowed the hacker to steal the account data of 4 million users.

The website said that the incident was due to a disgruntled administrator who left a backdoor that enabled hackers to steal login data. But separate hackers declared to be responsible for the breach, the infamous New World Order is one of them.

The breached data includes:

• email address, alongside IP address
• username
• password, stored as bcrypt hash

The website uncovered the breach relatively fast and stopped the leakage as soon as possible. It announced that the victims were known and contacted without any delay.  

Disclose quickly The website disclosed the hacking on the first day. They contacted victims and forced to change passwords and re-login. CPRewritten did its best to keep accounts and their data safe.

Change password All passwords are saved as high standard Bcrypt hash, which should be safe temporarily. However, the algorithm isn't a magic shield and might be decrypted by attackers with enough time on their hands. So, users have to update the password the earlier the safer.

Help underage victims As for leaked email and other personal information, CPRewritten doesn't have a settlement plan. Parents and adults have to keep an eye on young victims from cybercriminals driven by the leaked private data.

In January 2018, CPRewritten suffered the first data breach that exposed about 1.7 million unique email addresses. The company hid it from the public until HIBP announced it more than a year later, in April 2019. Comparing with the previous breach, the company's actions have big progress.

After a previous breach, January 2018 affecting 1.7 million accounts, made public one year ago, the website ran into the same incident again. Why are hackers interested in it?

What is the cause of the latest breach? For children's email addresses?

When CPRewritten realized it's a breach, it took defensive measures. They found the hackers had already tried to damage records and steal valuable accounts that had rare virtual items from the game.

Notice that "rare virtual items" in games is the real object of the breach because it's exchangeable for money. Stuff in game-website is much easier to monetize than email or personal information and with less risk. These items make the players more powerful, and can also be exchanged for real money.

So, we usually see game websites on the breached list.

What is the method of the latest breach? CPRewritten claimed that the hacker accessed a hidden PHP database back door that was set by a former site admin last year. The malicious code was hidden among regular files, to avoid detection. CPRewritten hinted it's due to internal defeat and management issues.

But a hacking group, the New World Order, who claimed credit for the breach after a couple of days, said they attacked the site by a vulnerability in the Adminer database administration tool and hinted there are existing paths to hack this sort of website. "CPR admins know who we are, we’re responsible for the database breaches of many other CPPSes."  

The hackers claimed that the CPRewritten attempted to patch a vulnerability but were not quick enough. To cover this failure, it carried their work as if nothing had happened and used former team member as a scapegoat.

The mentioned former team member is called "Codey", one of the founders of CPRewritten. He described the company had "a toxic working environment," and said he did nothing about the breach.

A website launched in 2017 but experienced 2 times breach incidents till 2019. Why is a boy or girl willing to be a user of it?