The feud between Disney and fans of the defunct Club Penguin game has taken an unexpected, security-focused turn after an apparently new database full of sensitive company information was leaked online.
Earlier this week, a threat actor posted a new thread on 4Chan with a simple message: “I no longer need this :)” and included a link to a 415MB archive of 137 PDFs containing inside information about Club Penguin, an old massive multiplayer online (MMO) game, discontinued years ago, but still with a devout following who play it somewhat illegally.
The database contained emails, design diagrams, documentation and character sheets.
Exposed references
According to BleepingComputer, who has seen the database firsthand, the information in it is seven years old. However, whoever stole this information only posted part of it. The entire database, apparently taken from Disney’s Confluence server, is much larger and apparently contains newer information as well. The rest seem to be making the rounds on Discord.
The publication stated that the Confluence servers had been hacked using previously disclosed credentials. An anonymous source also confirmed to the publication that the attackers were initially looking for Club Penguin data, but ultimately obtained 2.5 GB of Disney business strategies, advertising plans, Disney+ data, internal developer tools, business projects and internal infrastructure.
“There are many more files here, including internal API endpoints and credentials for things like S3 buckets,” an anonymous source told us BleepingComputer.
Club Penguin, a game designed for children, was developed by New Horizon Interactive and released in 2005. It was acquired by Disney in 2007 and discontinued in 2017. That same year, a number of indie developers were unhappy with the fact that Disney was closing the game and released Club Penguin Rescribe, essentially a copy of the original game, built on pre-existing Flash files and simulated older versions of the original . It lacked monetization and in-game purchases.
The City of London Police suspended the game in 2022 in accordance with a copyright investigation request from Disney. Three people were arrested.
Before its closure, the game had over 11 million registered players.