My Penguin Has Been Stolen Because Club Penguin’s Security Sucks

“Did someone hack you o.o” – that was the iMessage I suddenly received from my friend 77lulu77. At first I was doubtful, as earlier this year Club Penguin had penguins creating usernames of already taken penguin names thanks to an invisible character bug. Except it was no fake penguin with the username Trainman1405 and hacked items. It was THE Trainman1405. The Trainman1405 penguin created August 4, 2006 – 3,204 days ago.

Screen Shot 2014-11-14 at 8.58.46 PM

Lulu: did someone hack you o.o
Me: check pins
Me: and stamps
Lulu: i did
Lulu: o.o
Me:where are you lol ill go on another penh

Me: peng*
Me: to see

Lulu: sleet ice burg
Me: someones on my penguin

Hacked Trainman1405 Password

Someone on my penguin that’s not me

As it turns out, the person on my penguin is called Sentrix. And while he’s a good guy, the people with access to Club Penguin’s moderator panel are not. That’s right, people have access to Club Penguin’s moderator panel and they shouldn’t.

aguycalledsentrix

 

Trainman1405 Hacked Parent Account

Sentrix removed Trainman1405 from my parent account and put it on his own

As I said, Sentrix, aka BroDude, is a good guy. While yes, he hacked my penguin, he did it to bring light to this major flaw in Club Penguin’s system. His friends (or people he know) are the ones who have access to the vulnerability and they gave him pictures of Club Penguin’s mod database for my penguin. Here’s my Skype conversation:

[11/14/14, 6:53:26 PM] BroDude: Devin
[11/14/14, 8:02:52 PM] BroDude: Devin
[11/14/14, 8:27:41 PM] Devin: so i hear you got my penguin lol
[11/14/14, 8:28:07 PM] BroDude: yeah lol
[11/14/14, 8:28:15 PM] BroDude: I got your account and I feel terrible
[11/14/14, 8:28:20 PM] BroDude: so I wanna give it back’
[11/14/14, 8:28:23 PM] Devin: well at least you’re not malicious lol
[11/14/14, 8:28:26 PM] Devin: but how’d you do it
[removed upon request
[11/14/14, 8:29:18 PM] BroDude: Devin
[11/14/14, 8:29:21 PM] BroDude: I needed to talk to you
[11/14/14, 8:29:25 PM] BroDude: because I realised that what I did
[part removed]
[11/14/14, 8:29:39 PM] BroDude: lol…..
[11/14/14, 8:29:49 PM] Devin: nah not gonna do that
[11/14/14, 8:30:07 PM] BroDude: alright
[11/14/14, 8:30:12 PM] BroDude: let me quickly get you the pics
[11/14/14, 8:30:34 PM] BroDude: heres 1 of em
[11/14/14, 8:30:35 PM] BroDude: [pic removed as it contains some sensitive info, see below for a similar image with a little info redacted]
[11/14/14, 8:30:57 PM] BroDude: [pic removed, contains my payment history with club penguin]
[11/14/14, 8:31:19 PM] Devin: what are the notes under my account lol I’m curious
[11/14/14, 8:31:25 PM] BroDude: I dont know
[11/14/14, 8:31:30 PM] BroDude: I dont have access to the panel
[11/14/14, 8:31:33 PM] Devin: ah okay
[11/14/14, 8:31:34 PM] BroDude: only pictures
[11/14/14, 8:31:41 PM] BroDude: and im not asking for more
[11/14/14, 8:31:59 PM] BroDude: I dont want to get more of these pics leaked
[11/14/14, 8:32:16 PM] BroDude: Btw
[11/14/14, 8:32:27 PM] BroDude: can me you and lulu get in a call so I can explain more
[11/14/14, 8:32:33 PM] BroDude: too long of a story to explain in chat
[11/14/14, 8:32:33 PM] BroDude: lol
[11/14/14, 8:33:12 PM] Devin: sure
[11/14/14, 8:33:14 PM] BroDude: alright
[11/14/14, 8:33:17 PM] BroDude: Call started
[11/14/14, 8:33:23 PM] BroDude: BroDude created a group conversation

Here’s the first picture from the Skype chat. I hid the private email address I had my penguin under, as nobody knows it but me….until this incident. This image is of Club Penguin’s moderator panel where they can look up player info and edit it such as the username, password, and parent email. They can also add notes to the penguin (I wish I knew what the 72 about me are) and see bans, transactions, and much more.

prntscr-1

They also, unfortunately, got all of my private information. Last name, full address, and with a bit of searching, they found out the names of family members and what my house looks like.

info

They can see my full transaction history. Here’s a part of it:

prntscr-2

So, what I’ve been able to gather is this:

  1. Sentrix’s friends or something are the ones with access to Club Penguin’s mod panel (as well as other secured stuff) and they gave him pictures
  2. Sentrix called Club Penguin and managed to trick Club Penguin Support (specifically Connor, sorry bud) into changing the parent account to his own email address. How was he able to trick Club Penguin? Simple – he had all my personal information, so with one simple call to Club Penguin and a few lies while pretending to be me, he managed to get it changed after “verifying” that “he” was really Trainman1405 calling Club Penguin.

goodjobchangingthemeail

So basically, anyone with this access they shouldn’t have can look up details of ANY penguin and change the info on ANY penguin they please. I expected much better security from Disney. But Alas, the damage has been done.

Also, for a little fun Sentrix added four five-year memberships to his penguin account since it’s a benefit of mods.

prntscr-3

I’m lucky Sentrix/BroDude is a nice guy and didn’t take my penguin with a malicious intent. But like I said, him and others now have access to my personal information. That’s a huge violation of privacy and this is no doubt my worst Club Penguin experience in the eight years I’ve been playing. I expected much better. I knew Club Penguin’s been lacking in security this past year, but I didn’t know it was *this* bad…

Hopefully this giant mess gets sorted soon and I can get my penguin back. Club Penguin may be able to change my email address back but they can’t change my home address or last name to something once again private, the way it should be online. :[



115 thoughts on “My Penguin Has Been Stolen Because Club Penguin’s Security Sucks

  1. Great post, Train, glad to see it come to light. Also, in your Skype chat up there Sentrix said the s-word and you didn’t block it.

        • No, no they didn’t. Cloud Penguin doesn’t have the capacity to do THIS much damage to Club Penguins security problem. Again Train, thanks for bringing this topic to light. So that every CP player and parent knows about how dangerous this situation is.

          Now this is a message for CP, you have only patched small item adders, while there are still huge ones out there and you’ve failed to take action. You know other adders and hacking devices are out there, and you failed to take action. And because of the lack of security and privacy in Disney’s servers (which clearly you all know about.) this has happened. C’mon guys, you have the intelligence, you have the money. Fix this issue, or one day you will loose control of the amount of hackers attacking and changing Club Penguin will be unimaginable. Fix it, while you still can. For the sake of the children, parents, bloggers and yourselves. We beg you.

          -Waddle On.

  2. The pictures were actually meant to be private(your account was never touched, Sentrix is the one who called CP and used the details shown as an example to gain access to your account), Sentrix is the one who is to blame not CP(as CP was working towards fixing this before any of this happened).
    Lesson learnt: Don’t show Sentrix anything you want to keep private between you both.

  3. CP better see this. Are you still going to post CP stuff? (Because your penguin was hacked…) Hopefully they’ll remove the item adders and etc. And yes, I agree that their security sucks…

  4. Wow, wow! That is really pretty shocking. Hopefully Club Penguin Team will understand that their security sucks. They haven’t even fixed exploits like Club Penguin Item Adder yet. Yeah, I have to admit that 2014 is the worst year.

    Yes, that post shocked me, Trainman1405.

    • They already are in progress of doing that since this was discovered awhile ago but kept private since it puts everyone’s information at risk. The screenshots of trainmans account were examples that were meant to be private but Sentrix took advantage of this and took control over trainmans account by calling CP and pretending to be him using information from the screenshots.

    • They already are in progress of doing that since this was discovered awhile ago but kept private since it puts everyone’s information at risk. The screenshots of trainmans account were examples that were meant to be private but Sentrix took advantage of this and took control over trainmans account by calling CP and pretending to be him using information from the screenshots.
      –used wrong email reposting comment–

  5. Really, despite that Club Penguin’s security has gone downhill recently a circumstance like this would had been the last thought and idea in my mind. I mean, we all have trusted CP with our most private information, passwords, and other necessary details. I can’t even blame but rather sympathize for the longtime players or even young children discontinuing from playing Club Penguin for the lack of security and quality this past year. I can envision that they may or will be working more on the security of the game at the start of the new year in the next two months, What they need is to hire more experienced and professional technical members (don’t even know what’s the right profession or term for these kind of workers, hmm…)

  6. Wow… that’s terrible. What I’ve been ashamed of this year is not the quality of parties and features, but Club Penguin’s technical side. Unfixed bugs, rare item adders, puffle adders, large money makers, you name it. But this, this does it. I’m sick of Club Penguin standing by while people hack rare items, unreleased puffles and obtain other people’s accounts. Even I was fooled, when I saw “you” were online on my Friend’s List. Club Penguin needs to STOP STANDING BY, FIX THE BUGS, AND START PAYING ATTENTION TO THESE THINGS. Raging like this is out of character for me, but I’m so, very disappointed in Disney, Club Penguin, and anyone else associated with this security issue. I’m so glad Sentrix is a good guy, and that no major damage was done. I’m sorry your account and private info was stolen, and I hope you get your account back soon. I am sending this post to CP Support as I type this.

  7. My buddy list kept saying you were online and offline again, I was wondering what it was. Guess I know now. Did the problem stop?

  8. That’s terrible. Club Penguin needs to give you something better than a confirmation email! How about membership, the dude went through a hard time! Surley some membership could make his day a bit better..

  9. I’m sorry but Sentrix was like: “Hey Train I stole your penguin and I know everything about you so I’m sorry by that. PD: It all was a mistake, I had access to mod panel so I stole it by accident :(” LOL

  10. And children, that is why CPPS and ITEM ADDERS are more searched than CLUB PENGUIN in the past year. CP is going down hill, by reading this I just want to quit my payments like this is ridiculous.

  11. The thing with having a CP APP for portable devices (eg. mobile) means that it’s even harder than ever to track your penguin when it is hacked through the app. This happened to me and they couldn’t work out who did it. I eventually found who did it (not saying any names), and they were nice enough to apologise to me and even wanted punishment from me. I didn’t do it though. I have morals.

  12. I’m happy the someone at least notified you, Train, because if this were to happen to me, I would have never realized and gotten into some trouble. It’s a good thing, as well as bad thing though. Good thing because now Club Penguin knows how weak their security system is, and the bad thing is your private information, is no longer a secret; thanks to Club Penguin’s security system. I’m glad you’re getting your account back, because you’ve been working hard since the very first day you joined Club penguin.

    It’s sad and disappointing to see how Club Penguin assures every parent/user that their game is guarded with advanced technology, when is clearly not the case. Even though they might fix this, I will never, in my life again feel comfortable to play Club Penguin as I will always know my private information is at risk.

    Great post, and I support you with this. I hope the fix up their security information as I find it more important than parties, updates and applications.

  13. I’m personally friends with Sentrix myself and I’m surprised he did that. I know the people that have access to this stuff (I’m not going to say who) and you’re all fine, they’re not going to do anything extreme.

  14. Wow. I haven’t been on club penguin since maybe January, and I occasionally check back on this site to see what has been happening in my (old) favourite game. I haven’t checked in maybe 2 months though because of moving. Imagine my surprise and shock to see that something like this has been made possible. And item adders? Money makers? That’s unbelievable. Kinda makes me glad I stopped playing the game back in January. I actually checked my penguin to see if it was unpacked another thing I haven’t dine since January.

    -Mickman5

  15. This is terrible. This never should have happened to you. But there’s something needed to be known, how did Sentrix’s associates get ahold of the mod panel? Hacking?

  16. “Since the beginning, Club Penguin’s made online safety a priority – we believe kids should know how to stay safe online.” ~Club Penguin’s Safety page.
    Hmm, not really…

  17. keep using your Silly excuse thAt you’Re working on mobile apps Club penguin, i get it, playing in An ipad iS more iMportant than security, i mean, who needs life when you have an ipad, and play over unlimited apps in the world?

    Love you club penguin!

    p.s. I hope you peeps find my secret message! :D

  18. Pingback: Club Penguin-Trainman1405 Hacked and Stay Safe Online | Club Penguin Reveals 2014

  19. So sorry trainman for that, i know how you are feeling right know, if someone would stole my penguin and know my last name and my address or even the credit card number, i would be really mad. Train why don’t you send a message to cp team and tell them what happened so they can improve their security and so it can’t happen to anybody ? That sucks , sorry train to hear that

  20. Wow… Train, since a security breach occurred that exposes your personal information, thus putting your privacy and safety at risk, you could now sue Disney and likely get millions of dollars. This is outrageous and I wonder how the people who have access to this “Moderator System” are using the data they have available to them.

      • This is a sign that you must drop it the CP forever, being the game, blog; why it doesn’t this leaving following a really good way of life. And the destination did this with your Penguin for you to stop and reflect on this event along with their real life …

  21. “They also, unfortunately, got all of my private information. Last name, full address, and with a bit of searching, they found out the names of family members and what my house looks like.”

    That one bit is indeed scary. Imagine these terrible people breaking in your house.

    • All,
      The Club Penguin would not be able to stuff like that, anyway, you should know that when membership will do, they ask for your address, but do not worry, I’m sure they will not do anything!

  22. (This is in Spanish)
    Me ha pasado, tuve la misma experiencia que tú y la verdad es que es terrible, Club Penguin me baneó de manera inválida por la culpa de quien me hackeó, cambió mi contraseña y correo, hasta publicó mi contraseña en mi propio canal de Youtube, Club Penguin hasta el día de hoy, nunca me devolvió mi cuenta…

    -Español-

  23. i am shocked if they can get into accounts like yours trainman who knows what people would do they could ban your penguin forever to bunches of penguins club penguin staff really needs to step up security.

  24. Pretty sure there’s some sort of legal action you can take against Club Penguin.. Not that you need to, if you don’t feel your safety is threatened. But you gave them personal information about you, under the assumption that it would always be protected. They have a LEGAL obligation to protect this info, so if they aren’t properly keeping third parties from accessing your info, they are liable for any damages. Even if nothing happens, which it probably won’t, they are still responsible for violating the proper security and safety that you and your family are entitled to.

    Good luck with dealing with this situation, Trainman! And I also really hope CP realizes how serious the situation is. This goes wayyy beyond indirectly stealing profit from CP and being unfair to other players, the way item adding is. This is downright dangerous.

  25. While I do personally know some of the people behind this, do not worry, they do not have any intentions of doing anything. Sentrix’s doing was an accident as the pictures were not supposed to be leaked nor was he supposed to do such thing as calling CP support (you know the story). On the bright side, while it was all a dumb move, I believe he wasn’t all that bad in this case since he’s not a bad fellow, not at all. I’m hoping to see some proper security from Disney soon. Unless they want someone reaching their SWF archives at some point.

  26. This is exactly what happened to me. Someone hacked my account and added it a 5 year membership and it took CP 4 weeks to find out, I never knew that it happened. I noticed the membership badge and checked my membership history and somebody did it to me. I’m banned forever. For this, I need to use my sister’s account. :(

  27. Sanity1 starts all this history….but
    1 day will finish?
    CP is the only game that doesnt have more that 90% hackers than other games that have 90% of hacks OR MORE!

Leave a Reply to Polar9998Cancel reply