Membership Penguin followers hacked a Disney Confluence server to steal details about their favourite recreation however wound up strolling away with 2.5 GB of inside company knowledge, BleepingComputer has discovered.
Membership Penguin was a multiplayer on-line recreation (MMO) from 2005 to 2018, that includes a digital world the place gamers may have interaction in video games, actions, and chat with different gamers. The sport was initially created by New Horizon Interactive, which Disney later bought.
Whereas Membership Penguin was formally shut down in 2017, and its successor, Membership Penguin Island, in 2018, the sport continues to dwell on in personal servers run by followers and impartial builders. Although Disney pushed again on a extra outstanding ‘Membership Penguin Rewritten’ remake, inflicting its operators to be arrested, personal servers proceed to today with 1000’s of gamers.
Membership Penguin followers hack Disney
This week, an nameless individual uploaded a hyperlink to “Internal Club Penguin PDFs” on the 4Chan message board with the straightforward assertion, “I no longer need these :).”Â
The hyperlink goes to a 415 MB archive containing 137 PDFs that include outdated inside details about Membership Penguin, together with emails, design schematics, documentation, and character sheets. All of this knowledge is seven years outdated, if not older, making it solely fascinating to followers of the sport.
BleepingComputer has since discovered that Membership Penguin knowledge is simply a small a part of a a lot bigger knowledge set stolen from Disney’s Confluence server, which shops documentation for varied enterprise, software program, and IT initiatives used internally by Disney.
Based on an nameless supply, Disney’s Confluence servers had been breached utilizing beforehand uncovered credentials.
The supply says that the menace actors had been initially in search of Membership Penguin knowledge; they wound up downloading 2.5 GB of knowledge about Disney’s company methods, promoting plans, Disney+, inside developer instruments, enterprise initiatives, and inside infrastructure.
“Lot more files here including internal api endpoints and credentials for things like S3 buckets,” an nameless supply instructed BleepingComputer.
The info, seen by BleepingComputer, contains documentation on all kinds of initiatives and initiatives, in addition to data on inside developer instruments named Helios and Communicore, which haven’t beforehand been disclosed publicly.Â
CommuniCore is a “high-performance asynchronous messaging library, aimed at use in distributed applications.”
Helios is a present authoring and playback software that enables Disney producers and authors to create interactive non-linear “experiences” utilizing actual world inputs from sensors in Disney’s parks.
Strewn throughout the paperwork are hyperlinks to inside web sites utilized by Disney builders, which could possibly be helpful for menace actors who want to goal the corporate.
Whereas the Membership Penguin knowledge is pretty outdated, the remainder of the information circulating on Discord is way newer, with data from 2024.
BleepingComputer was instructed that the unique Membership Penguin PDFs shared on 4Chan had been stolen weeks in the past. Nonetheless, the Disney company knowledge seems to have been downloaded a lot sooner, as they include the next textual content, “Document generated by Confluence on Jun 01, 2024 21:59.”
BleepingComputer contacted Disney a number of occasions with data and questions in regards to the breach however has but to obtain a reply.