My Penguin Has Been Stolen Because Club Penguin’s Security Sucks

By / November 14, 2014


“Did someone hack you o.o” – that was the iMessage I suddenly received from my friend 77lulu77. At first I was doubtful, as earlier this year Club Penguin had penguins creating usernames of already taken penguin names thanks to an invisible character bug. Except it was no fake penguin with the username Trainman1405 and hacked items. It was THE Trainman1405. The Trainman1405 penguin created August 4, 2006 – 3,204 days ago.

Screen Shot 2014-11-14 at 8.58.46 PM

Lulu: did someone hack you o.o
Me: check pins
Me: and stamps
Lulu: i did
Lulu: o.o
Me:where are you lol ill go on another penh

Me: peng*
Me: to see

Lulu: sleet ice burg
Me: someones on my penguin

Hacked Trainman1405 Password
Someone on my penguin that’s not me

As it turns out, the person on my penguin is called Sentrix. And while he’s a good guy, the people with access to Club Penguin’s moderator panel are not. That’s right, people have access to Club Penguin’s moderator panel and they shouldn’t.

aguycalledsentrix

 

Trainman1405 Hacked Parent Account
Sentrix removed Trainman1405 from my parent account and put it on his own

As I said, Sentrix, aka BroDude, is a good guy. While yes, he hacked my penguin, he did it to bring light to this major flaw in Club Penguin’s system. His friends (or people he know) are the ones who have access to the vulnerability and they gave him pictures of Club Penguin’s mod database for my penguin. Here’s my Skype conversation:

[11/14/14, 6:53:26 PM] BroDude: Devin
[11/14/14, 8:02:52 PM] BroDude: Devin
[11/14/14, 8:27:41 PM] Devin: so i hear you got my penguin lol
[11/14/14, 8:28:07 PM] BroDude: yeah lol
[11/14/14, 8:28:15 PM] BroDude: I got your account and I feel terrible
[11/14/14, 8:28:20 PM] BroDude: so I wanna give it back’
[11/14/14, 8:28:23 PM] Devin: well at least you’re not malicious lol
[11/14/14, 8:28:26 PM] Devin: but how’d you do it
[removed upon request
[11/14/14, 8:29:18 PM] BroDude: Devin
[11/14/14, 8:29:21 PM] BroDude: I needed to talk to you
[11/14/14, 8:29:25 PM] BroDude: because I realised that what I did
[part removed]
[11/14/14, 8:29:39 PM] BroDude: lol…..
[11/14/14, 8:29:49 PM] Devin: nah not gonna do that
[11/14/14, 8:30:07 PM] BroDude: alright
[11/14/14, 8:30:12 PM] BroDude: let me quickly get you the pics
[11/14/14, 8:30:34 PM] BroDude: heres 1 of em
[11/14/14, 8:30:35 PM] BroDude: [pic removed as it contains some sensitive info, see below for a similar image with a little info redacted]
[11/14/14, 8:30:57 PM] BroDude: [pic removed, contains my payment history with club penguin]
[11/14/14, 8:31:19 PM] Devin: what are the notes under my account lol I’m curious
[11/14/14, 8:31:25 PM] BroDude: I dont know
[11/14/14, 8:31:30 PM] BroDude: I dont have access to the panel
[11/14/14, 8:31:33 PM] Devin: ah okay
[11/14/14, 8:31:34 PM] BroDude: only pictures
[11/14/14, 8:31:41 PM] BroDude: and im not asking for more
[11/14/14, 8:31:59 PM] BroDude: I dont want to get more of these pics leaked
[11/14/14, 8:32:16 PM] BroDude: Btw
[11/14/14, 8:32:27 PM] BroDude: can me you and lulu get in a call so I can explain more
[11/14/14, 8:32:33 PM] BroDude: too long of a story to explain in chat
[11/14/14, 8:32:33 PM] BroDude: lol
[11/14/14, 8:33:12 PM] Devin: sure
[11/14/14, 8:33:14 PM] BroDude: alright
[11/14/14, 8:33:17 PM] BroDude: Call started
[11/14/14, 8:33:23 PM] BroDude: BroDude created a group conversation

Here’s the first picture from the Skype chat. I hid the private email address I had my penguin under, as nobody knows it but me….until this incident. This image is of Club Penguin’s moderator panel where they can look up player info and edit it such as the username, password, and parent email. They can also add notes to the penguin (I wish I knew what the 72 about me are) and see bans, transactions, and much more.

prntscr-1

They also, unfortunately, got all of my private information. Last name, full address, and with a bit of searching, they found out the names of family members and what my house looks like.

info

They can see my full transaction history. Here’s a part of it:

prntscr-2

So, what I’ve been able to gather is this:

  1. Sentrix’s friends or something are the ones with access to Club Penguin’s mod panel (as well as other secured stuff) and they gave him pictures
  2. Sentrix called Club Penguin and managed to trick Club Penguin Support (specifically Connor, sorry bud) into changing the parent account to his own email address. How was he able to trick Club Penguin? Simple – he had all my personal information, so with one simple call to Club Penguin and a few lies while pretending to be me, he managed to get it changed after “verifying” that “he” was really Trainman1405 calling Club Penguin.

goodjobchangingthemeail

So basically, anyone with this access they shouldn’t have can look up details of ANY penguin and change the info on ANY penguin they please. I expected much better security from Disney. But Alas, the damage has been done.

Also, for a little fun Sentrix added four five-year memberships to his penguin account since it’s a benefit of mods.

prntscr-3

I’m lucky Sentrix/BroDude is a nice guy and didn’t take my penguin with a malicious intent. But like I said, him and others now have access to my personal information. That’s a huge violation of privacy and this is no doubt my worst Club Penguin experience in the eight years I’ve been playing. I expected much better. I knew Club Penguin’s been lacking in security this past year, but I didn’t know it was *this* bad…

Hopefully this giant mess gets sorted soon and I can get my penguin back. Club Penguin may be able to change my email address back but they can’t change my home address or last name to something once again private, the way it should be online. :[

Leave a Response

rudiko

rudiko

I’m so sorry. I would’ve freaked out if this happened to me :'(

Denice

Denice

oh jeez D:

Enb 11

Enb 11

Great post, Train, glad to see it come to light. Also, in your Skype chat up there Sentrix said the s-word and you didn’t block it.

Trainman1405

Trainman1405

Yes, my apologies on leaving that in. I’ve removed that whole bit. :)

bobson28287

bobson28287

They used cloud penguin cuz my friend did this to a famous person who is Arch.

Mr Perry P

Mr Perry P

No, no they didn’t. Cloud Penguin doesn’t have the capacity to do THIS much damage to Club Penguins security problem. Again Train, thanks for bringing this topic to light. So that every CP player and parent knows about how dangerous this situation is.

Now this is a message for CP, you have only patched small item adders, while there are still huge ones out there and you’ve failed to take action. You know other adders and hacking devices are out there, and you failed to take action. And because of the lack of security and privacy in Disney’s servers (which clearly you all know about.) this has happened. C’mon guys, you have the intelligence, you have the money. Fix this issue, or one day you will loose control of the amount of hackers attacking and changing Club Penguin will be unimaginable. Fix it, while you still can. For the sake of the children, parents, bloggers and yourselves. We beg you.

-Waddle On.

zezocool

zezocool

can you tell him make a video?

North

North

The pictures were actually meant to be private(your account was never touched, Sentrix is the one who called CP and used the details shown as an example to gain access to your account), Sentrix is the one who is to blame not CP(as CP was working towards fixing this before any of this happened).
Lesson learnt: Don’t show Sentrix anything you want to keep private between you both.

daringcadash

daringcadash

CP better see this. Are you still going to post CP stuff? (Because your penguin was hacked…) Hopefully they’ll remove the item adders and etc. And yes, I agree that their security sucks…

Trainman1405

Trainman1405

I have no intentions on quitting. :)

daringcadash

daringcadash

Thanks for not quitting! I always look at your blog when finding the latest cheats.

Trainman1405

Trainman1405

Thanks for the support. :)

Felipe

Felipe

Wow, wow! That is really pretty shocking. Hopefully Club Penguin Team will understand that their security sucks. They haven’t even fixed exploits like Club Penguin Item Adder yet. Yeah, I have to admit that 2014 is the worst year.

Yes, that post shocked me, Trainman1405.

phineas99cp

phineas99cp

2016 awaits for CP! :)

(Well, first half of 2016 for Club Penguin)

Agentzap

Agentzap

Wait, by hacking into the mod panel, they can basically find out EVERYTHING? I worry somethimes.

Trainman1405

Trainman1405

Yes, pretty much.

penguinup45cheats

penguinup45cheats

thats why i get membership cards and not pay online they can see where your home is when you buy online!

carphon

carphon

Quite confused due to the censorship of most of the conversation, but I do agree Club Penguin surely needs some upgrades in their privacy protection.

North

North

They already are in progress of doing that since this was discovered awhile ago but kept private since it puts everyone’s information at risk. The screenshots of trainmans account were examples that were meant to be private but Sentrix took advantage of this and took control over trainmans account by calling CP and pretending to be him using information from the screenshots.

North

North

They already are in progress of doing that since this was discovered awhile ago but kept private since it puts everyone’s information at risk. The screenshots of trainmans account were examples that were meant to be private but Sentrix took advantage of this and took control over trainmans account by calling CP and pretending to be him using information from the screenshots.
–used wrong email reposting comment–

Trainman1405

Trainman1405

It doesn’t really matter what email you use since it’s not required when submitting a comment here. :)

ℭω700 ♔ (@Cw700CP)

ℭω700 ♔ (@Cw700CP)

Really, despite that Club Penguin’s security has gone downhill recently a circumstance like this would had been the last thought and idea in my mind. I mean, we all have trusted CP with our most private information, passwords, and other necessary details. I can’t even blame but rather sympathize for the longtime players or even young children discontinuing from playing Club Penguin for the lack of security and quality this past year. I can envision that they may or will be working more on the security of the game at the start of the new year in the next two months, What they need is to hire more experienced and professional technical members (don’t even know what’s the right profession or term for these kind of workers, hmm…)

Chilly573

Chilly573

Wow… that’s terrible. What I’ve been ashamed of this year is not the quality of parties and features, but Club Penguin’s technical side. Unfixed bugs, rare item adders, puffle adders, large money makers, you name it. But this, this does it. I’m sick of Club Penguin standing by while people hack rare items, unreleased puffles and obtain other people’s accounts. Even I was fooled, when I saw “you” were online on my Friend’s List. Club Penguin needs to STOP STANDING BY, FIX THE BUGS, AND START PAYING ATTENTION TO THESE THINGS. Raging like this is out of character for me, but I’m so, very disappointed in Disney, Club Penguin, and anyone else associated with this security issue. I’m so glad Sentrix is a good guy, and that no major damage was done. I’m sorry your account and private info was stolen, and I hope you get your account back soon. I am sending this post to CP Support as I type this.

Kingkong06

Kingkong06

About two years ago I lost my two 2006 penguins from my parent account… I’m worried maybe they did the same thing as they did to you… :(

Flopper138

Flopper138

My buddy list kept saying you were online and offline again, I was wondering what it was. Guess I know now. Did the problem stop?

Sentrix

Sentrix

Hey guys Sentrix here just checking out the post ;D

Darth Lizard

Darth Lizard

DUDE, PLZ GIVE MY PENG 5 YEAR MEMBERSHIP!!!

p897

p897

You are not the real, why you don’t go to other part , stop it this is something real and seriously and you shouldn’t make jokes about this, you don’t know how this is for train and i hope you didn’t get into the same situation, respect him.

Darth Lizard

Darth Lizard

That’s terrible. Club Penguin needs to give you something better than a confirmation email! How about membership, the dude went through a hard time! Surley some membership could make his day a bit better..

Debu2001 (@Debu2001_)

Debu2001 (@Debu2001_)

I’m Sorry to know that :( are you going to quit Club Penguin? :'( and oh now Club Penguin can ban you forever because you added 5 years membership which is available to moderators. NOOOOO!!!!!!! :”'(

Trainman1405

Trainman1405

I’m not quitting and I did nothing with five year memberships, they did that to their own penguin.

Debu2001 (@Debu2001_)

Debu2001 (@Debu2001_)

:D and oh sorry a typo ;) Sorry! *they added

Fred

Fred

I’m sorry but Sentrix was like: “Hey Train I stole your penguin and I know everything about you so I’m sorry by that. PD: It all was a mistake, I had access to mod panel so I stole it by accident :(” LOL

Toniorocks

Toniorocks

Honestly i think that CP has gone downhill since Billybob left :(

77lulu77

77lulu77

So insane! >.>

Pirate 53

Pirate 53

And children, that is why CPPS and ITEM ADDERS are more searched than CLUB PENGUIN in the past year. CP is going down hill, by reading this I just want to quit my payments like this is ridiculous.

Bigbuny

Bigbuny

Oh goodness, this is horrible! Really scary….. I had no clue stuff like this was happening :3

Red498 (@Red498CP)

Red498 (@Red498CP)

The thing with having a CP APP for portable devices (eg. mobile) means that it’s even harder than ever to track your penguin when it is hacked through the app. This happened to me and they couldn’t work out who did it. I eventually found who did it (not saying any names), and they were nice enough to apologise to me and even wanted punishment from me. I didn’t do it though. I have morals.

Ultimate64

Ultimate64

Wait, did you get your account back?

TrollCP

TrollCP

I’m happy the someone at least notified you, Train, because if this were to happen to me, I would have never realized and gotten into some trouble. It’s a good thing, as well as bad thing though. Good thing because now Club Penguin knows how weak their security system is, and the bad thing is your private information, is no longer a secret; thanks to Club Penguin’s security system. I’m glad you’re getting your account back, because you’ve been working hard since the very first day you joined Club penguin.

It’s sad and disappointing to see how Club Penguin assures every parent/user that their game is guarded with advanced technology, when is clearly not the case. Even though they might fix this, I will never, in my life again feel comfortable to play Club Penguin as I will always know my private information is at risk.

Great post, and I support you with this. I hope the fix up their security information as I find it more important than parties, updates and applications.

I’m personally friends with Sentrix myself and I’m surprised he did that. I know the people that have access to this stuff (I’m not going to say who) and you’re all fine, they’re not going to do anything extreme.

Undefined

Undefined

Just so you are aware it was not Sentrix, he leaked the pictures shown to him by someone who sent those to him.

Trainman1405

Trainman1405

I am aware.

Pengi50

Pengi50

I think Club Penguin should know about this….

Mickman5

Mickman5

Wow. I haven’t been on club penguin since maybe January, and I occasionally check back on this site to see what has been happening in my (old) favourite game. I haven’t checked in maybe 2 months though because of moving. Imagine my surprise and shock to see that something like this has been made possible. And item adders? Money makers? That’s unbelievable. Kinda makes me glad I stopped playing the game back in January. I actually checked my penguin to see if it was unpacked another thing I haven’t dine since January.

-Mickman5

azerty15

azerty15

i wonder if Spike hike will leave a comment on this post :) i hope he sees this so he can fix this problem :)

Justin78596

Justin78596

This is terrible. This never should have happened to you. But there’s something needed to be known, how did Sentrix’s associates get ahold of the mod panel? Hacking?

Sebapilka

Sebapilka

“Since the beginning, Club Penguin’s made online safety a priority – we believe kids should know how to stay safe online.” ~Club Penguin’s Safety page.
Hmm, not really…

Atm40

Atm40

That’s terrible! I hope you get your account back soon!

phineas99cp

phineas99cp

keep using your Silly excuse thAt you’Re working on mobile apps Club penguin, i get it, playing in An ipad iS more iMportant than security, i mean, who needs life when you have an ipad, and play over unlimited apps in the world?

Love you club penguin!

p.s. I hope you peeps find my secret message! :D

Darth Lizard

Darth Lizard

Arasm?

Trainman1405

Trainman1405

I think it was “sarcasm”

phineas99cp

phineas99cp

We got a winner :D

Anyways, perhaps several CP Memories readers have thought that my comment was sarcasm. It is indeed true.

Seriously. Shouldn’t CP work in the security first instead of making mobile apps? Ironically, hackers discovered vulnerabilities RIGHT when My Penguin (The former name of the CP App) released. Shouldn’t CP have worked on the app first instead of releasing it. Worst of all, they haven’t done nothing against it and they still keep doing other stuff, like releasing MORE Mobile apps.

Way to go CP -_-

57teenybounc

57teenybounc

it was sarcasm

1999bloo (@1999bloo)

1999bloo (@1999bloo)

I hope you get your penguin back :(

Club Penguin-Trainman1405 Hacked and Stay Safe Online | Club Penguin Reveals 2014

Club Penguin-Trainman1405 Hacked and Stay Safe Online | Club Penguin Reveals 2014

[…] HERE to visit Trainman1405′s post about this on Club Penguin […]

greengirl816

greengirl816

OHMYGOD THIS IS NOT GOOD I DIDN’T EVEN KNOW A MODERATOR PANEL EXISTED *get me a disco cuz I am panicking rn*
Is there any way we can protect our penguins?

Trainman1405

Trainman1405

Not with this issue, no.

Super Penguin

Super Penguin

That’s terrible! :( I hope you ger your penguin back… Good luck!

p897

p897

So sorry trainman for that, i know how you are feeling right know, if someone would stole my penguin and know my last name and my address or even the credit card number, i would be really mad. Train why don’t you send a message to cp team and tell them what happened so they can improve their security and so it can’t happen to anybody ? That sucks , sorry train to hear that

Brandon (Kingpin2)

Brandon (Kingpin2)

Wow… Train, since a security breach occurred that exposes your personal information, thus putting your privacy and safety at risk, you could now sue Disney and likely get millions of dollars. This is outrageous and I wonder how the people who have access to this “Moderator System” are using the data they have available to them.

Undefined

Undefined

I hope you never get your account back and quit cp blogging forever

Trainman1405

Trainman1405

Lol, thanks.

Fight

Fight

This is a sign that you must drop it the CP forever, being the game, blog; why it doesn’t this leaving following a really good way of life. And the destination did this with your Penguin for you to stop and reflect on this event along with their real life …

Barry87

Barry87

Trainman I also saw the penguin the other day too!

cheezlovermw

cheezlovermw

i wonder what my penguin looks like on the moderator panel thing O.O I’ve been banned like a lot of times O.O I’m scared my next ban might be forever O.O

Trainman1405

Trainman1405

Bad boy! :P

Jnk6

Jnk6

My cousin penguin had over 20 bans…

Frosty793

Frosty793

And that’s why I ALWAYS use membership cards! xD

Trainman1405

Trainman1405

Lol yeah, lesson learnt.

P41690

P41690

Oh My Gosh! I’m so glad you haven’ quit CP! Even if things go wrong your still my favourite CP blogger Trainman1405!

Agentzap

Agentzap

I actually kinda want to know all the notes…on Saraapril ;-)

Richard1222

Richard1222

Same omg

Bubbly 3000

Bubbly 3000

I saw this ‘sentrix’ on Sleet today with your penguin in the Town.Hope you get your penguin back buddy,this is bad :(

CP Movies

CP Movies

Train your account was on just now, he was on Forjd at Town, i think it was a fake. loads of people were there

Dhi228

Dhi228

Is there a way to contact Sentrix, and does he mind being contacted? Preferably Twitter :P

Trainman1405

Trainman1405

Dunno if he wants his contact info public.

Dhi228

Dhi228

Could you ask him for me?

Gaяя¡ƒяσ Presidento (@GarrifroWDs)

Gaяя¡ƒяσ Presidento (@GarrifroWDs)

I am outraged! :(

JedEmily

JedEmily

I’m staying off CP for a few days to see if the thing is fixed (BTW check Twitter for a tweet I sent u)

Polar9998

Polar9998

Train on my friends list it says ur on right now

Chilly573

Chilly573

Lol, thanks for the Twitter spotlight. And congrats on getting your penguin back!

Sentrix

Sentrix

Train check PM

All73

All73

“They also, unfortunately, got all of my private information. Last name, full address, and with a bit of searching, they found out the names of family members and what my house looks like.”

That one bit is indeed scary. Imagine these terrible people breaking in your house.

Mincino

Mincino

All,
The Club Penguin would not be able to stuff like that, anyway, you should know that when membership will do, they ask for your address, but do not worry, I’m sure they will not do anything!

say no to sentrix

say no to sentrix

omg you hacker hacker !!!! sentrix you should be punished for doing these wrong thing you should be hanged

Adam Peaker

Adam Peaker

It wasn’t even sentrix who hacked, he just got images from hackers and used the info to trick cp. Either way, he certainly shouldn’t be hanged.

Tomás Francisco Salazar Triviño

Tomás Francisco Salazar Triviño

(This is in Spanish)
Me ha pasado, tuve la misma experiencia que tú y la verdad es que es terrible, Club Penguin me baneó de manera inválida por la culpa de quien me hackeó, cambió mi contraseña y correo, hasta publicó mi contraseña en mi propio canal de Youtube, Club Penguin hasta el día de hoy, nunca me devolvió mi cuenta…

-Español-

mr shrimpy

mr shrimpy

i am shocked if they can get into accounts like yours trainman who knows what people would do they could ban your penguin forever to bunches of penguins club penguin staff really needs to step up security.

Rather Be Anon

Rather Be Anon

Pretty sure there’s some sort of legal action you can take against Club Penguin.. Not that you need to, if you don’t feel your safety is threatened. But you gave them personal information about you, under the assumption that it would always be protected. They have a LEGAL obligation to protect this info, so if they aren’t properly keeping third parties from accessing your info, they are liable for any damages. Even if nothing happens, which it probably won’t, they are still responsible for violating the proper security and safety that you and your family are entitled to.

Good luck with dealing with this situation, Trainman! And I also really hope CP realizes how serious the situation is. This goes wayyy beyond indirectly stealing profit from CP and being unfair to other players, the way item adding is. This is downright dangerous.

Mincino

Mincino

Trainman, I hope you recover your penguin, I know exactly how it is … ever happened to me! :(

Mikey The TMNT

Mikey The TMNT

What if he is trying to help you? Like maybe it wasnt a hacker ! But if u want to trick hackers so good ask cp to move your stuff to another account or dress like ur a new user

Lmar10

Lmar10

Can you give me the link to the Club Penguin Moderator Panel?

Trainman1405

Trainman1405

1) I/we don’t have it
2) no

Dawn006

Dawn006

Omg this sounds creepy
If I got hacked like this I would freak out a lot.

Serg

Serg

While I do personally know some of the people behind this, do not worry, they do not have any intentions of doing anything. Sentrix’s doing was an accident as the pictures were not supposed to be leaked nor was he supposed to do such thing as calling CP support (you know the story). On the bright side, while it was all a dumb move, I believe he wasn’t all that bad in this case since he’s not a bad fellow, not at all. I’m hoping to see some proper security from Disney soon. Unless they want someone reaching their SWF archives at some point.

ғlappy12ЗЗ

ғlappy12ЗЗ

This is exactly what happened to me. Someone hacked my account and added it a 5 year membership and it took CP 4 weeks to find out, I never knew that it happened. I noticed the membership badge and checked my membership history and somebody did it to me. I’m banned forever. For this, I need to use my sister’s account. :(

Trainman1405

Trainman1405

Wow, that’s really unfortunate.

ғlappy12ЗЗ

ғlappy12ЗЗ

I know, right? :( It sucks. I’m so gonna miss my account. Specially my Ghost Puffle. :( Your lucky your’s got unbanned. But, can you please help me? :P

Trainman1405

Trainman1405

I never got banned.

pavel lo2

pavel lo2

Sanity1 starts all this history….but
1 day will finish?
CP is the only game that doesnt have more that 90% hackers than other games that have 90% of hacks OR MORE!