Important Announcement — Security & Our Story
We are saddened to tell you that unfortunately Club Penguin Rewritten suffered a security breach on Saturday 27th July at 3 AM BST. Passwords are not in risk of being compromised as they are heavily encrypted. However, IPs and E-Mail addresses were extracted. The compromisers tried damaging the database so we rolled back to a previous backup which was 24 hours before. We are dearly sorry that this happened and will do everything that we can to fix this situation and help everyone. Please see our recommended security practices below.
- Despite your passwords being impossible to crack, we heavily suggest that you have a different password for every website that you sign-up for; this is a security practice that everybody should be following. If you need to change your password, you can do so here.
- Always be cautious when opening emails because you never know which ones could have malicious intent. If you suspect that the email is from an untrusted address, always report it to your email service.
- It is possible to change your IP address either by contacting your ISP (Internet Service Provider) or restarting your router. Options may vary depending on your ISP.
- You can check to see if you have been affected on our website, or any other website, by visiting Have I Been Pwned.
We prioritise security over anything else and are dearly saddened that this happened. If you have any queries or would like your account to be deleted from our records, please do not hesitate to contact us at [email protected].
How did this happen?
An ex-system administrator used an old file to get into our database. He had multiple of these scattered around our media-server which were deleted by us, unfortunately this one file went unnoticed and he got a friend of his to gain access. However, we do take full responsibility for this.
We have been keeping silent for about a year and a half, but now we are ready to come out about our perspective of what has been going on ever since; because now it has gotten to the point where user data is getting abused. We are not putting blame on anybody, we are just coming out about our perspective. Before reading this, we would like to ask you not to target anybody that we mention.
On February 8th, 2018, our ex-system administrator, Codey, was fired from his position. This was due to an array of reasons.
A week after being demoted, Codey threatened to leak the CPR server code (codename "Auroris") which was made by an administrator. This was not his work and he had no right to leak it; but he did so in spite.
A few months later, Codey leaked the personal information of a few team member's to the internet, and to cyber-criminals; such as personal emails, home addresses and facial pictures. He then got people to continuously send pizzas and emergency services to staff houses in spite of being kicked off of the team. This led to Club Penguin Rewritten's initial temporary shutdown, on March 2018, as we value our staff's safety. We used this time to look back and figure out this situation, this also included the police and cyber-security experts getting involved.
Codey and his friends created multiple websites and social media accounts to slander our administration team. One of his friends got into a social media account that belonged to an administrator on the CPR team, when they were a minor, and leaked facial pictures and personal information in an attempt to get CPR closed.
After a few months of silence, Codey sent a fraudulent letter to two of our admins pretending to be Disney. The letter was clearly fake as there was no return address, there was bad grammar and no signature of the writer or company. We know this was him because he threatened to do this before and impersonated Disney before on many occasions to take down other servers.
On April 23rd 2019, Codey sent a backup of the CPR database to Have I Been Pwned. He played this off as if it was an actual security breach and went as far as to change the date of the breach to 2019, when the database backup was from early 2018, the year before. He contacted the owner of the website, Troy Hunt, and tried getting him involved in all these politics to, once again, try and spite us. Troy Hunt contacted us and we worked with him to get the correct information out on his website.
Sorry for all of this
We sincerely apologise to everyone this has affected — staff AND community. We hope that this situation, that has been going on for a year and a half, stops as it is impacting the lives of many people. Once again, we take full responsibility for this and are not trying to shift the blame. Furthermore, we will do everything we can to prevent these types of situations from happening again.
Thank you for listening,
- Thorn, Joee, Hagrid & Stu (Club Penguin Rewritten Administrators)