We bring you breaking news of a reported database breach on CP Rewritten.
A statement has been left of the website, explaining the situation:
The statement reads:
Club Penguin Rewritten has suffered a database breach. All of the accounts usernames and passwords have been compromised, although Club Penguin Rewritten encrypts passwords in MD5, it still higly recommended you change your password on any other service where you use the same password. We are investigating further and will let everyone know once we have more information.
Passwords are encrypted in MD5, but unfortunately, MD5 can easily be decrypted, making your account password vulnerable. We strongly urge you to change your password elsewhere, if used on CP Rewritten.
Similar notices have also been posted on Twitter & the CP Rewritten discord server, which reads:
Codey – Today at 6:58 PM
@here Club Penguin Rewritten has suffered a database breach. https://clubpenguinrewritten.pw/index.html
We will bring you more news as it comes,
Post update: CP Rewritten has released a second statement:
On April 13 2017, approximately at 5:00 am CEST, Club Penguin Rewritten has suffered a brutal security attack.
During this time, many penguins accounts have been accessed, including our famous mascot accounts, and they started saying inappropriate stuff not meant for Club Penguin Rewritten.
Our administrative team was immediately informed and have taken the game down for inspection.
At first we thought this was a database breach and that penguins have been breached, however, after extensive looking at the logs, looking at the source code for Club Penguin Rewritten, we have come to conclusion that this attack was from a issue in our code which allowed anyone to access any penguin with proper tools, not via a database breach.
We have contacted the hacker who has done this for more information, however, he has declined to help us or provide any information about it, but we have discovered certain penguins being on the popular text sharing website “Pastebin” with their username and passwords claiming to be from Club Penguin Rewritten.
Immediately we have started our investigation, and we have discovered that there is a website which looks similar to Club Penguin Rewritten and is being used to steal accounts from our game, this was immediately reported to their web hosting provider abuse team who will handle this further.
We have patched this vulnerability in our code – however, since the hacker still declines to give out any information, we cannot rule out that there was no database breach, therefore we recommend that you change your password on Club Penguin Rewritten and any website that you used the same password as here.
Once our game re-launches, we will be adding a change password form together with a new encryption method which should prevent these things happening in the future.
In short, Club Penguin Rewritten believes that there is no database breach and that no accounts were compromised from our website, however, it is still recommended to change your password.
Just in: Flippy reaches out to SpeedyCPPSHQ for a statement, security team claims CPR suffered no database leak. See more:
Further investigation has confirmed that there was no database breach and all users information is safe. We’ll release more information soon.
— CP Rewritten (@CPRewritten) April 14, 2017
UPDATE 3: CP Rewritten has come under question again, holding potential security risks.
CP Rewritten has tweeted out stating that there could still be a security risk just after the Pengur database was breached. They have then postponed the release until further notice.