When Disney shut down Club Penguin in 2017, millions of disgruntled fans were left without a virtual, penguin-based world to call home. This week, Bleeping Computer reports that threat actors hacked into Disney’s internal servers looking for old Club Penguin secrets, but ended up stealing 2.5 GB of up-to-date internal information regarding Disney’s much larger business.
An anonymous person uploaded a link to “Internal Club Penguin PDFs” on a 4Chan message board this week with the statement, “I no longer need these :).” The link includes 137 PDFs containing old internal information about Club Penguin, but according to Bleeping Computer, that was just a small percentage of everything stolen. The breach reportedly includes information, from as recently as June 2024, about Disney+, corporate strategies, advertising plans, Disney’s internal tools, and more. An anonymous source tells Bleeping Computer that Disney’s servers were breached using previously exposed credentials.
Disney did not immediately respond to Gizmodo’s request for comment.
The hacked data, which was seen by BleepingComputer, includes information on internal developer tools reportedly named Helios and Communicore, which have not previously been disclosed. Helios is said to be a tool that allows Disney producers and authors to create interactive non-linear experiences using real-world inputs and sensors from Disney’s parks. Communicore is allegedly a “high-performance asynchronous messaging library, aimed at use in distributed applications.”
According to the report, the data also includes links to internal websites Disney uses, which could expose the company to more threat actors moving forward. All of this information allegedly comes from Disney’s Confluence server, which stores documentation for various internal operations within Disney.
While the original Club Penguin has been offline for roughly seven years, the game still has a loyal group of fans and followers. Disney has quashed popular, but unauthorized reboots in the past. The City of London police, acting on the wishes of Disney, arrested three people in 2022 for running an unofficial reboot of Club Penguin that claimed to have millions of registered users. The website “Club Penguin Rewritten” was also shut down. In the absence of a Club Penguin platform, many longtime fans have been somewhat spiteful towardDisney, perhaps the motivation for this week’s hack.