“Did someone hack you o.o” – that was the iMessage I suddenly received from my friend 77lulu77. At first I was doubtful, as earlier this year Club Penguin had penguins creating usernames of already taken penguin names thanks to an invisible character bug. Except it was no fake penguin with the username Trainman1405 and hacked items. It was THE Trainman1405. The Trainman1405 penguin created August 4, 2006 – 3,204 days ago.
Lulu: did someone hack you o.o
Me: check pins
Me: and stamps
Lulu: i did
Me:where are you lol ill go on another penh
Me: to see
Lulu: sleet ice burg
Me: someones on my penguin
As it turns out, the person on my penguin is called Sentrix. And while he’s a good guy, the people with access to Club Penguin’s moderator panel are not. That’s right, people have access to Club Penguin’s moderator panel and they shouldn’t.
As I said, Sentrix, aka BroDude, is a good guy. While yes, he hacked my penguin, he did it to bring light to this major flaw in Club Penguin’s system. His friends (or people he know) are the ones who have access to the vulnerability and they gave him pictures of Club Penguin’s mod database for my penguin. Here’s my Skype conversation:
[11/14/14, 6:53:26 PM] BroDude: Devin
[11/14/14, 8:02:52 PM] BroDude: Devin
[11/14/14, 8:27:41 PM] Devin: so i hear you got my penguin lol
[11/14/14, 8:28:07 PM] BroDude: yeah lol
[11/14/14, 8:28:15 PM] BroDude: I got your account and I feel terrible
[11/14/14, 8:28:20 PM] BroDude: so I wanna give it back’
[11/14/14, 8:28:23 PM] Devin: well at least you’re not malicious lol
[11/14/14, 8:28:26 PM] Devin: but how’d you do it
[removed upon request
[11/14/14, 8:29:18 PM] BroDude: Devin
[11/14/14, 8:29:21 PM] BroDude: I needed to talk to you
[11/14/14, 8:29:25 PM] BroDude: because I realised that what I did
[11/14/14, 8:29:39 PM] BroDude: lol…..
[11/14/14, 8:29:49 PM] Devin: nah not gonna do that
[11/14/14, 8:30:07 PM] BroDude: alright
[11/14/14, 8:30:12 PM] BroDude: let me quickly get you the pics
[11/14/14, 8:30:34 PM] BroDude: heres 1 of em
[11/14/14, 8:30:35 PM] BroDude: [pic removed as it contains some sensitive info, see below for a similar image with a little info redacted]
[11/14/14, 8:30:57 PM] BroDude: [pic removed, contains my payment history with club penguin]
[11/14/14, 8:31:19 PM] Devin: what are the notes under my account lol I’m curious
[11/14/14, 8:31:25 PM] BroDude: I dont know
[11/14/14, 8:31:30 PM] BroDude: I dont have access to the panel
[11/14/14, 8:31:33 PM] Devin: ah okay
[11/14/14, 8:31:34 PM] BroDude: only pictures
[11/14/14, 8:31:41 PM] BroDude: and im not asking for more
[11/14/14, 8:31:59 PM] BroDude: I dont want to get more of these pics leaked
[11/14/14, 8:32:16 PM] BroDude: Btw
[11/14/14, 8:32:27 PM] BroDude: can me you and lulu get in a call so I can explain more
[11/14/14, 8:32:33 PM] BroDude: too long of a story to explain in chat
[11/14/14, 8:32:33 PM] BroDude: lol
[11/14/14, 8:33:12 PM] Devin: sure
[11/14/14, 8:33:14 PM] BroDude: alright
[11/14/14, 8:33:17 PM] BroDude: Call started
[11/14/14, 8:33:23 PM] BroDude: BroDude created a group conversation
Here’s the first picture from the Skype chat. I hid the private email address I had my penguin under, as nobody knows it but me….until this incident. This image is of Club Penguin’s moderator panel where they can look up player info and edit it such as the username, password, and parent email. They can also add notes to the penguin (I wish I knew what the 72 about me are) and see bans, transactions, and much more.
They also, unfortunately, got all of my private information. Last name, full address, and with a bit of searching, they found out the names of family members and what my house looks like.
They can see my full transaction history. Here’s a part of it:
So, what I’ve been able to gather is this:
- Sentrix’s friends or something are the ones with access to Club Penguin’s mod panel (as well as other secured stuff) and they gave him pictures
- Sentrix called Club Penguin and managed to trick Club Penguin Support (specifically Connor, sorry bud) into changing the parent account to his own email address. How was he able to trick Club Penguin? Simple – he had all my personal information, so with one simple call to Club Penguin and a few lies while pretending to be me, he managed to get it changed after “verifying” that “he” was really Trainman1405 calling Club Penguin.
So basically, anyone with this access they shouldn’t have can look up details of ANY penguin and change the info on ANY penguin they please. I expected much better security from Disney. But Alas, the damage has been done.
Also, for a little fun Sentrix added four five-year memberships to his penguin account since it’s a benefit of mods.
I’m lucky Sentrix/BroDude is a nice guy and didn’t take my penguin with a malicious intent. But like I said, him and others now have access to my personal information. That’s a huge violation of privacy and this is no doubt my worst Club Penguin experience in the eight years I’ve been playing. I expected much better. I knew Club Penguin’s been lacking in security this past year, but I didn’t know it was *this* bad…
Hopefully this giant mess gets sorted soon and I can get my penguin back. Club Penguin may be able to change my email address back but they can’t change my home address or last name to something once again private, the way it should be online. :[