Whether you’re a new, or old Club Penguin Private Server player, we bring you a guide on how to keep safe on CPPSes.
As you may already know, a CPPS can be created by anybody, even by following a simple tutorial on how to do so. Your personal information is stored under their guard, but sometimes that guard slips and a database breach may arise. There has been many CPPS database breaches and leaks over the years, with some covered and not covered by Speedy CPPSHQ. You can view just some of the breaches here, to gain a better understanding of what you could face.
We hope that this guide will cover the basics of keeping safe on Club Penguin Private Servers.
For the majority of CPPSes, an email address is required on signup. Now, most people would input their personal email to skip the hassle and get to the game as soon as possible. But think carefully, as this is your first safety roadblock.
If you believe that you trust the CPPS enough to input a real email address, proceed. Although, if you are having doubts we recommend this:
- Create an alternate email address. Using a separate email address to represent your online identity may be a good idea, which can be utilized among any new CPPS you register for. Some servers even allow email addresses to be changed or updated, so if you have worries with your current email address and want it updated with an online-version, we recommend contacting the server via their support network if applicable.
Below is an example of a risk & scenario that could occur if you utilized a real email address:
|You register on a CPPS with an email address that contains your full name.||The database of that CPPS is leaked by a group individuals who have a vendetta against that CPPS. You information is then leaked, available to be viewed by the public. A person who dislikes you finds your email address, and searches your name and finds your social media profiles. They then threaten you, with that information in hand.|
For the most part, some servers do not require an account activation confirmation via email. So even utilizing a random email address such as “[email protected]“, could be verified via the registration, and still allow an account to be created. Although, we do not recommend this as having a real email that you can access associated with your account can benefit you with password resets, and server promotional material. Although this may come to use for throw-away accounts if you are wanting to just view the CPPS before deciding to play.
One of the most important things to note when registering for a CPPS, is choosing a password. You must understand that some servers may not be properly protected and if a leak is evident your password is out there, and there are also users who may also attempt to crack into accounts, for the benefits of in-game currency, special items, transfers, or ranks. We recommend:
- Using a strong, unique password for every CPPS you register for. We cannot stress this enough. It is important to use a unique password when registering. When we say we unique, we mean a password not used on another Club Penguin Private Server, social platform or even anything that requires a password such as a paypal account. When selecting a password, try a mix of lowercase & uppercase characters, numbers & symbols.
Below are examples of risks & scenarios that could occur in regards to passwords:
|You register on a CPPS with the same password as your Twitter account.||The database evidently is leaked, and before you could change your Twitter’s password, somebody unauthorized logs into your account and deletes all your tweets, posts inappropriately and exposes your Direct Messages.|
|You register on a CPPS with the password “password1“.||Somebody who is jealous of the high amount of in-game currency you have been boasting about comes after you and attempts to password guess by using a list of common passwords, and successfully breaks into your account and changes your password. They then transfer the in-game currency to another account.|
If you are struggling to form a password, we recommend using a Random Password Generator which will provide you with random characters you could use as a password, such as: BZ([email protected]?YeyzE+p9P. Random Password Generators are a great way of creating a strong password, without having to think to hard about it.
Expecting to remember such passwords is unlikely, so we recommend keeping note somewhere with all your important CPPS passwords, or better yet, utilizing a password manager to assist you. We recommend Dashlane, which is a free, secure password manager which you can download for iOS or Windows. After installing the software and creating an account, you can then begin to set up an easy password storage unit for all your CPPS passwords, which can be automatically logged in or copied to clipboard when in need. Dashlane also offers a built-in Random Password Generator, which is useful when signing up for a new CPPSes.
On the same note of passwords, something people often don’t think about is the ability to change their password. Checking if a server offers the ability to manage their account/change their password may come to good use if your password is in ever need or replacement.
Below is an example of a risk & scenario that could occur in regards to passwords:
|You register on a CPPS that does not offer the ability to change your password.||You accidentally paste your password in-game in a room full of users, and somebody notes down your password. You then are then constantly logged off the server, with users logging into your account and manipulating it. You are upset and even might cry.|
Sometimes, CPPSes may not offer an account manager where you can update your password, so getting in touch with a CPPS, such as opening a support ticket or contacting a certain team may be necessary. Remember: think twice about providing a plaintext password to a CPPS if they are manually making a password update. If it does come to this, generate a unique password, and not a password you would use elsewhere.
Two-Factor Authentication (or 2fa for short) is an extra layer of security for those who want it. In summary, it connects to a Smartphone app (such as Google Authenticator or Authy) and every time you log in, it will ask you for a 6 digit number that your smartphone randomly generates. If a user has your password, they will still be unable to gain access to your account, as your smartphone will generate a code, providing a two-step login.
Unfortunately, not all servers off this extra layer of account protection. But servers such as CPPS.me & Penguin Oasis, already do which can be toggled via the account manager. Users who are interested in this extra level of account protection should suggest it to the appropriate teams on their favorite CPPS, to hopefully see it offered on a larger range of servers.
Some servers log IP addresses. For the most part, they are used to perform back-end tasks, such as checks or bans. They could also be used to view sessions and allow users to see the last IP addresses logged on their account, to see if their account has been accessed by somebody else, like most social networking sites such as Twitter & Tumblr.
Although, when registering on a server that does not have a good reputation, we recommend utilizing a VPN (Virtual Private Network), which “mask” your IP address. For the most part, the most users could do with an IP address if it is evidently leaked in a database breach, is reveal your geo-location, but on some occasions, launch DDoS attacks.
IP Grabbing is when a person provides you with a URL to a website, which you think could be safe, but unfortunately is malicious. The user then can gain access to your IP address if you decide to click on the URL they sent you and therefore logs on their side. Sometimes, you may not even be aware of it happening, as it redirects so fast, and then directs you to innocent, such as a YouTube video or blog.
Below is an example of a risk & scenario that could occur in regards to IP Grabbing:
|A person on a CPPS links you for what you think is a YouTube video, but the link says “http://yoütu.be“. You think that’s a little strange but click it anyway.||Your IP address is then logged and recorded with the person. The person then does an IP geo-check and reveals your location to everybody on the CPPS.|
Thankfully, there are some ways you can avoid becoming a target, and be smarter & safer when it comes to IP grabbers.
- The majority of IP grabbers will have a strange website name, followed by a jumbled code (which is the tracking code) such as: https://SketchyWebsiteName.com/EYHVN9. If you remove the tracking code from the URL which was EYHVN9 in this example, and go to the website itself, and the website redirects to an IP Grabber website, you will know that the link is unsafe, and know not to visit the entire URL with the tracking code or your IP address could be logged.
Some examples of domains that belong to IP Grabber website are followed:
Remember, they are not limited to these domains, this is just an example.
- Sometimes, users may hide an IP Grabber tracking code behind a URL shortener, such as tinyurl.com, or goo.gl, to make it seem like a normal link. But behind it may contain a nasty redirect! Thankfully there is a way of checking it before you click it. WhereGoes? is a website that offers a path of all the redirects of a link, until it reaches its final destination. So you could easily point out if an IP grabber is hidden within.
Below is an example of a hidden IP Grabber, in a YouTube video that was shortened via Bit.do:
- You can also utilize a VPN (Virtual Private Network) or Virtual Browser (such as Rabb.it) if you think a URL may look sketchy. Simply enable your VPN and make sure it is properly working before clicking the URL.
Chat & Private Messages
Sometimes, servers may decide to log chat messages and even private messages, which is why you should be extra cautious about what is said in-game or privately.
- If you are wanting to share personal information with someone, do it over a more secure network. Whether it is sharing it over discord, or a social networking site.
Below is an example of a what could happen if a database breach occurs:
|You become very good friends with someone, and decide to give them your iCloud address, so you can add you on iMessage. You decide to go to a room that is unpopulated to share this information, thinking nobody can see.||Months later, the CPPS database is breached, along with account information, the chat messages were logged, and also leaked. Somebody goes through the leak and finds your iCloud address, and shares it around the community. You then receive tons of messages on your iMessage.|
Your personal information should stay personal. Although you can make friends and find relationships, the online community can become untrustworthy, giving the ability for people to be anybody they want to be. People can pretend who they are, lie about their age, or even seek to do harm. You should be mindful of what you tell people, whether it being something like your full name, your location, your phone number or school. Be careful with who you trust, because it can only take a moment for someone to turn on you, and then attempt to blackmail you with information.
- Be cautious with what you share with others online. Sometimes some things are left better unsaid.
Below is an example of a what could happen if you reveal personal information online:
|You tell your friend what school you go to, and where you live.||One day, you and your friend have a massive fight. They then threaten to do something, with them knowing your address and what school you attend.|
This guide is by no means to shame or target any CPPS in their security practices, or to scare others away from playing Club Penguin Private Servers. We believe new, and even current players should review how safe they are being online. We will continue to update this guide over time.