A Warning To All Flippr CPPS Users: Change Your Passwords

By / August 29, 2015


Yesterday it was brought to my attention that Flippr, a popular Club Penguin Private Server, or CPPS for short, was hacked and the user database was leaked. The database contains the usernames, passwords, email addresses, and IP addresses of all registered Flippr users. That means anyone who accesses the database can look up the information. If you were a Flippr user and your Flippr password was used anywhere else, change your password now!

Really, it’s recommended that you update your passwords every so often, so even if you use a completely different password for Flippr or don’t have a Flippr account at all, it’s still a good safety precaution.

So let’s talk about this Flippr hack. I don’t know the specific details about the hack, however I can confirm that the database has leaked. Amongst other things it lists the usernames, hashed passwords, email addresses, and IP addresses of all users. Take a look, of course I am blurring the sensitive information.

Screen Shot 2015-08-29 at 11.52.12 PM

The passwords in the database are MD5 hashes, meaning it’s not plaintext. For example, if your password on Flippr is password, it wouldn’t say that your password is the password. It’d have the MD5 hash for it, which in this case is 5f4dcc3b5aa765d61d8327deb882cf99. However, anyone can decrypt MD5 hashes (rather quickly, too) to reveal what the actual password is.Take a look at the decryption of the MD5 for password, it took 142 milliseconds to crack.

Screen Shot 2015-08-29 at 11.55.33 PM

Theoretically, and I know it’s already been done, people can decrypt the MD5 passwords in the Flippr database and try those passwords on Club Penguin accounts, Twitter accounts, even the email addresses listed alongside the username and passwords:

Screen Shot 2015-08-29 at 11.52.34 PM

That’s why I highly recommend that if you had a Flippr account and used the same password elsewhere, you should change your passwords if you haven’t already. Generally it’s a good idea to update your passwords to something new from time to time and you shouldn’t use the same password across multiple websites, as if one site gets hacked, like in the case of Flippr, hackers can try and use that password to get into your other accounts. It’s a common occurrence in the cyber world.

The Flippr database does also list the IP addresses of players, meaning they can get a general idea of where Flippr players live. (no exact address, no need to panic or worry). However, people aren’t going to care and look up that type of information for the average unknown player, it’s just high profile players people like getting personal information on. *cough* like me.

Screen Shot 2015-08-29 at 11.52.47 PM

So there’s that. Remember, I do not condone private servers. They may seem fun but it doesn’t change the fact that they are illegal and can be insecure, just like this Flippr hack demonstrates. I’m just here to help people out. :) And to the staff of Flippr, with sincerity I say that I am sorry this has happened to you.

So for the love of God, if you used Flippr and used your Flippr password anywhere else, CHANGE IT NOW.

Leave a Response

Phcool23

Phcool23

Oh no. HOW DO I CHANGE IT!?!

Trainman1405

Trainman1405

Which website?

Taqi14

Taqi14

Thanks for the warning, but how comes all the passwords have the same length? Some passwords should be short, some would be long, im confused

Trainman1405

Trainman1405

It doesn’t matter how long or short a password is, the MD5 hash of it will always be the same length of characters as all other MD5 hashes. It’s just how MD5 is built.

Sandor

Sandor

Oh so when I try and have a civil conversation, you won’t discuss it. But then this happens and suddenly the rules are lifted. [expletive removed]

Trainman1405

Trainman1405

IMO we had a semi civil conversation. I still stand by the fact that I don’t support private servers, however I think it’s fair of me to give a warning to the users of Flippr regarding the hack and express condolences. There’s no rules I’m lifting. It’s not like I’ve suddenly changed my stance on the topic. If you feel differently then that’s fine with me.

pup2602

pup2602

well in a way if most of the cp passwords got out I think that trainman should let the players know that there real cp passwords got out

PH (@TryNotPH)

PH (@TryNotPH)

Trainman is a little late. Sandor already confirmed that Flippr closed and that the website host and @FlipprCPPS twitter have been hacked and are no longer in his power. Also, he confirmed that he didn’t stored the Users IP’s, so those that appear are completely fake.

pup2602

pup2602

Ok not to be mean but sandor has lied about flippr a lot. she said the flippr was not illegal and it was.

Sandor

Sandor

I maintain my stance that Flippr is not illegal. I have not lied.

Trainman1405

Trainman1405

You’ll have your stance on the subject and I’ll have mine.

zoom zoom103

zoom zoom103

one of the reasons why I don’t use CPPS

Arthur

Arthur

Although the end-result is what it is, we were not technically hacked. A former administrative member of the Flippr team decided to pair up with an owner of another Club Penguin private server (specifically Tybone10 from Oasis.ps) and back-stab us. It was not necessarily a security issue, so much as it was an internal one involving trust since Lucas already had access to all of our stuff.

I’m deeply sorry to everyone whom’s passwords are out there, and anyone whose accounts get compromised as a result of this leak. :(

Johns

Johns

I never go in flipprs.Flippr to be closed forever.