A Warning To All Flippr CPPS Users: Change Your Passwords

Yesterday it was brought to my attention that Flippr, a popular Club Penguin Private Server, or CPPS for short, was hacked and the user database was leaked. The database contains the usernames, passwords, email addresses, and IP addresses of all registered Flippr users. That means anyone who accesses the database can look up the information. If you were a Flippr user and your Flippr password was used anywhere else, change your password now!

Really, it’s recommended that you update your passwords every so often, so even if you use a completely different password for Flippr or don’t have a Flippr account at all, it’s still a good safety precaution.

So let’s talk about this Flippr hack. I don’t know the specific details about the hack, however I can confirm that the database has leaked. Amongst other things it lists the usernames, hashed passwords, email addresses, and IP addresses of all users. Take a look, of course I am blurring the sensitive information.

Screen Shot 2015-08-29 at 11.52.12 PM

The passwords in the database are MD5 hashes, meaning it’s not plaintext. For example, if your password on Flippr is password, it wouldn’t say that your password is the password. It’d have the MD5 hash for it, which in this case is 5f4dcc3b5aa765d61d8327deb882cf99. However, anyone can decrypt MD5 hashes (rather quickly, too) to reveal what the actual password is.Take a look at the decryption of the MD5 for password, it took 142 milliseconds to crack.

Screen Shot 2015-08-29 at 11.55.33 PM

Theoretically, and I know it’s already been done, people can decrypt the MD5 passwords in the Flippr database and try those passwords on Club Penguin accounts, Twitter accounts, even the email addresses listed alongside the username and passwords:

Screen Shot 2015-08-29 at 11.52.34 PM

That’s why I highly recommend that if you had a Flippr account and used the same password elsewhere, you should change your passwords if you haven’t already. Generally it’s a good idea to update your passwords to something new from time to time and you shouldn’t use the same password across multiple websites, as if one site gets hacked, like in the case of Flippr, hackers can try and use that password to get into your other accounts. It’s a common occurrence in the cyber world.

The Flippr database does also list the IP addresses of players, meaning they can get a general idea of where Flippr players live. (no exact address, no need to panic or worry). However, people aren’t going to care and look up that type of information for the average unknown player, it’s just high profile players people like getting personal information on. *cough* like me.

Screen Shot 2015-08-29 at 11.52.47 PM

So there’s that. Remember, I do not condone private servers. They may seem fun but it doesn’t change the fact that they are illegal and can be insecure, just like this Flippr hack demonstrates. I’m just here to help people out. :) And to the staff of Flippr, with sincerity I say that I am sorry this has happened to you.

So for the love of God, if you used Flippr and used your Flippr password anywhere else, CHANGE IT NOW.

14 thoughts on “A Warning To All Flippr CPPS Users: Change Your Passwords

    • It doesn’t matter how long or short a password is, the MD5 hash of it will always be the same length of characters as all other MD5 hashes. It’s just how MD5 is built.

  1. Oh so when I try and have a civil conversation, you won’t discuss it. But then this happens and suddenly the rules are lifted. [expletive removed]

    • IMO we had a semi civil conversation. I still stand by the fact that I don’t support private servers, however I think it’s fair of me to give a warning to the users of Flippr regarding the hack and express condolences. There’s no rules I’m lifting. It’s not like I’ve suddenly changed my stance on the topic. If you feel differently then that’s fine with me.

  2. Trainman is a little late. Sandor already confirmed that Flippr closed and that the website host and @FlipprCPPS twitter have been hacked and are no longer in his power. Also, he confirmed that he didn’t stored the Users IP’s, so those that appear are completely fake.

  3. Although the end-result is what it is, we were not technically hacked. A former administrative member of the Flippr team decided to pair up with an owner of another Club Penguin private server (specifically Tybone10 from Oasis.ps) and back-stab us. It was not necessarily a security issue, so much as it was an internal one involving trust since Lucas already had access to all of our stuff.

    I’m deeply sorry to everyone whom’s passwords are out there, and anyone whose accounts get compromised as a result of this leak. :(

Leave a Response