CPRewritten 2019 Breached from Backdoor

Club Penguin Rewritten (CPRewritten) was breached two times in 2018 and 2019. There are few severe users on the website because it is for children's gaming. But the leakage of millions of underages emails and personal information should cause a huge security concern in both the online and offline world. If you are a consumer, why do you still trust it?

It is an independent recreation of Disney's Club Penguin multiplayer online game for kids aged 6 to 14. It launched in 2017 to continue the earlier Club Penguin (CP), which owners Disney shut in the same year. In January 2018, it suffered a data hack, which exposed almost 1.7 million unique email addresses. Now is the second breach in two years.

On July 27, 2019, the admin team noticed an hour after the unauthorized access. Then they quickly judged hackers caused the behavior to exfiltrate the user information. The website's admin figured out the hacking in hours, but this time window allowed the hacker to steal the account data of 4 million users.

The website said that the incident was due to a disgruntled administrator who left a backdoor that enabled hackers to steal login data. But separate hackers claimed to be responsible for the breach; the infamous New World Order is one of them.

The breached data includes:

• email address, alongside IP address
• username
• password, stored as bcrypt hash

The website uncovered the breach quickly and stopped the leakage as soon as possible. It announced that the victims were known and contacted without any delay.  

Disclose quickly CPRewritten did its best to keep accounts and their data safe. The website disclosed the hacking on the first day. They contacted victims and forced them to change passwords and re-login.

Change password All passwords are saved as high-standard Bcrypt hash, which should be safe temporarily. However, the algorithm isn't a magic shield and might be decrypted by attackers with enough time on their hands. So, users have to update the password; the earlier, the safer.

Help underage victims As for leaked emails and other personal information, CPRewritten doesn't have a settlement plan. Parents and adults have to keep an eye on young victims from cybercriminals driven by the leaked private data.

We agree that the company's actions have made considerable progress compared with the previous breach. In January 2018, CPRewritten suffered the first data breach that exposed about 1.7 million unique email addresses. The company hid it from the public until HIBP announced it more than a year later, in April 2019.

After a previous breach, January 2018 affecting 1.7 million accounts, made public one year ago, the website ran into the same incident again. Why are hackers interested in it?

What is the cause of the latest breach? For children's email addresses?

When CPRewritten realized it was a breach, it took defensive measures. They found the hackers had already tried to damage records and steal valuable accounts with rare virtual items from the game.

Notice that "rare virtual items" in games are the breach's real object because it's exchangeable for money. These items make the players more powerful and can also be exchanged for real cash. Stuff in game-website is much easier to monetize than email or personal information and with less risk.

So, we usually see game websites on the breached list.

What is the method of the latest breach? CPRewritten claimed that the hacker accessed a hidden PHP database back door set by a former site admin last year. The malicious code was hidden among regular files to avoid detection. CPRewritten hinted it's due to internal defeat and management issues.

But a hacking group, the New World Order, who claimed credit for the breach after a couple of days, said they attacked the site by a vulnerability in the Adminer database administration tool and hinted there are existing paths to hack this sort of website. "CPR admins know who we are; we're responsible for the database breaches of many other CPPSes."  

The hackers claimed that the CPRewritten attempted to patch a vulnerability but were not quick enough. It carried their work as if nothing had happened and used former team members as a scapegoat to cover this failure.

The mentioned former team member is called "Codey," one of the founders of CPRewritten. He described the company had "a toxic working environment" and said he did nothing about the breach.

A website launched in 2017 but experienced two times breach incidents till 2019. Why is a boy or girl willing to be a user of it?