Membership Penguin followers breached Disney Confluence server, stole 2.5GB of knowledge

Membership Penguin followers hacked a Disney Confluence server to steal details about their favourite recreation however wound up strolling away with 2.5 GB of inside company knowledge, BleepingComputer has discovered.

Membership Penguin was a multiplayer on-line recreation (MMO) from 2005 to 2018, that includes a digital world the place gamers may have interaction in video games, actions, and chat with different gamers. The sport was initially created by New Horizon Interactive, which Disney later bought.

Whereas Membership Penguin was formally shut down in 2017, and its successor, Membership Penguin Island, in 2018, the sport continues to dwell on in personal servers run by followers and impartial builders. Although Disney pushed again on a extra outstanding ‘Membership Penguin Rewritten’ remake, inflicting its operators to be arrested, personal servers proceed to today with 1000’s of gamers.

Membership Penguin followers hack Disney

This week, an nameless individual uploaded a hyperlink to “Internal Club Penguin PDFs” on the 4Chan message board with the straightforward assertion, “I no longer need these :).” 

The hyperlink goes to a 415 MB archive containing 137 PDFs that include outdated inside details about Membership Penguin, together with emails, design schematics, documentation, and character sheets.  All of this knowledge is seven years outdated, if not older, making it solely fascinating to followers of the sport.

SENSEI character sheet from leaked documents
SENSEI character sheet from leaked paperwork​​

BleepingComputer has since discovered that Membership Penguin knowledge is simply a small a part of a a lot bigger knowledge set stolen from Disney’s Confluence server, which shops documentation for varied enterprise, software program, and IT initiatives used internally by Disney.

Based on an nameless supply, Disney’s Confluence servers had been breached utilizing beforehand uncovered credentials.

The supply says that the menace actors had been initially in search of Membership Penguin knowledge; they wound up downloading 2.5 GB of knowledge about Disney’s company methods, promoting plans, Disney+, inside developer instruments, enterprise initiatives, and inside infrastructure.

“Lot more files here including internal api endpoints and credentials for things like S3 buckets,” an nameless supply instructed BleepingComputer.

The info, seen by BleepingComputer, contains documentation on all kinds of initiatives and initiatives, in addition to data on inside developer instruments named Helios and Communicore, which haven’t beforehand been disclosed publicly. 

CommuniCore is a “high-performance asynchronous messaging library, aimed at use in distributed applications.”

Helios is a present authoring and playback software that enables Disney producers and authors to create interactive non-linear “experiences” utilizing actual world inputs from sensors in Disney’s parks.

Strewn throughout the paperwork are hyperlinks to inside web sites utilized by Disney builders, which could possibly be helpful for menace actors who want to goal the corporate.

Whereas the Membership Penguin knowledge is pretty outdated, the remainder of the information circulating on Discord is way newer, with data from 2024.

BleepingComputer was instructed that the unique Membership Penguin PDFs shared on 4Chan had been stolen weeks in the past. Nonetheless, the Disney company knowledge seems to have been downloaded a lot sooner, as they include the next textual content, “Document generated by Confluence on Jun 01, 2024 21:59.”

BleepingComputer contacted Disney a number of occasions with data and questions in regards to the breach however has but to obtain a reply.

Recent articles

Patch Alert: Essential Apache Struts Flaw Discovered, Exploitation Makes an attempt Detected

î ‚Dec 18, 2024î „Ravie LakshmananCyber Assault / Vulnerability Risk actors are...

Meta Fined €251 Million for 2018 Knowledge Breach Impacting 29 Million Accounts

î ‚Dec 18, 2024î „Ravie LakshmananKnowledge Breach / Privateness Meta Platforms, the...