Club Penguin fans hacked a Disney Confluence server to steal information about their favorite game but wound up walking away with 2.5 GB of internal corporate data, BleepingComputer has learned.
Club Penguin was a multiplayer online game (MMO) from 2005 to 2018, featuring a virtual world where players could engage in games, activities, and chat with other players. The game was originally created by New Horizon Interactive, which Disney later purchased.
While Club Penguin was officially shut down in 2017, and its successor, Club Penguin Island, in 2018, the game continues to live on in private servers run by fans and independent developers. Though Disney pushed back on a more prominent ‘Club Penguin Rewritten’ remake, causing its operators to be arrested, private servers continue to this day with thousands of players.
This week, an anonymous person uploaded a link to “Internal Club Penguin PDFs” on the 4Chan message board with the simple statement, “I no longer need these :).”
The link goes to a 415 MB archive containing 137 PDFs that contain old internal information about Club Penguin, including emails, design schematics, documentation, and character sheets. All of this data is seven years old, if not older, making it only interesting to fans of the game.
BleepingComputer has since learned that Club Penguin data is only a small part of a much larger data set stolen from Disney’s Confluence server, which stores documentation for various business, software, and IT projects used internally by Disney.
According to an anonymous source, Disney’s Confluence servers were breached using previously exposed credentials.
The source says that the threat actors were initially looking for Club Penguin data; they wound up downloading 2.5 GB of data about Disney’s corporate strategies, advertising plans, Disney+, internal developer tools, business projects, and internal infrastructure.
“Lot more files here including internal api endpoints and credentials for things like S3 buckets,” an anonymous source told BleepingComputer.
The data, seen by BleepingComputer, includes documentation on a wide variety of initiatives and projects, as well as information on internal developer tools named Helios and Communicore, which have not previously been disclosed publicly.
CommuniCore is a “high-performance asynchronous messaging library, aimed at use in distributed applications.”
Helios is a show authoring and playback tool that allows Disney producers and authors to create interactive non-linear “experiences” using real world inputs from sensors in Disney’s parks.
Strewn across the documents are links to internal websites used by Disney developers, which could be valuable for threat actors who wish to target the company.
While the Club Penguin data is fairly old, the rest of the data circulating on Discord is far newer, with information from 2024.
BleepingComputer was told that the original Club Penguin PDFs shared on 4Chan were stolen weeks ago. However, the Disney corporate data appears to have been downloaded much sooner, as they contain the following text, “Document generated by Confluence on Jun 01, 2024 21:59.”
BleepingComputer contacted Disney multiple times with information and questions about the breach but has yet to receive a reply.