Yesterday it was brought to my attention that Flippr, a popular Club Penguin Private Server, or CPPS for short, was hacked and the user database was leaked. The database contains the usernames, passwords, email addresses, and IP addresses of all registered Flippr users. That means anyone who accesses the database can look up the information. If you were a Flippr user and your Flippr password was used anywhere else, change your password now!
Really, it’s recommended that you update your passwords every so often, so even if you use a completely different password for Flippr or don’t have a Flippr account at all, it’s still a good safety precaution.
So let’s talk about this Flippr hack. I don’t know the specific details about the hack, however I can confirm that the database has leaked. Amongst other things it lists the usernames, hashed passwords, email addresses, and IP addresses of all users. Take a look, of course I am blurring the sensitive information.
The passwords in the database are MD5 hashes, meaning it’s not plaintext. For example, if your password on Flippr is password, it wouldn’t say that your password is the password. It’d have the MD5 hash for it, which in this case is 5f4dcc3b5aa765d61d8327deb882cf99. However, anyone can decrypt MD5 hashes (rather quickly, too) to reveal what the actual password is.Take a look at the decryption of the MD5 for password, it took 142 milliseconds to crack.
Theoretically, and I know it’s already been done, people can decrypt the MD5 passwords in the Flippr database and try those passwords on Club Penguin accounts, Twitter accounts, even the email addresses listed alongside the username and passwords:
That’s why I highly recommend that if you had a Flippr account and used the same password elsewhere, you should change your passwords if you haven’t already. Generally it’s a good idea to update your passwords to something new from time to time and you shouldn’t use the same password across multiple websites, as if one site gets hacked, like in the case of Flippr, hackers can try and use that password to get into your other accounts. It’s a common occurrence in the cyber world.
The Flippr database does also list the IP addresses of players, meaning they can get a general idea of where Flippr players live. (no exact address, no need to panic or worry). However, people aren’t going to care and look up that type of information for the average unknown player, it’s just high profile players people like getting personal information on. *cough* like me.
So there’s that. Remember, I do not condone private servers. They may seem fun but it doesn’t change the fact that they are illegal and can be insecure, just like this Flippr hack demonstrates. I’m just here to help people out. :) And to the staff of Flippr, with sincerity I say that I am sorry this has happened to you.
So for the love of God, if you used Flippr and used your Flippr password anywhere else, CHANGE IT NOW.