Disney Confluence server hacked. Almost 25 GB of data leaked - Responsibility claimed by group claiming to be disgruntled Club Penguin Fans.

mindlessobserver

True & Honest Fan
kiwifarms.net
Joined
Jul 18, 2017

The hack is rumored to retaliation for Disney getting the operators of private servers of its shuttered Club Penguin MMO arrested. Club Penguin was an IP Disney acquired, apparently ruined and then shit canned.

I'm searching around 4chan now, but it seems the Jannies have already swept it up. Dedicated autists should try and find the data before its gone. I can't understand why people bother to leak things onto current day 4chan these days.

Club Penguin fans hacked a Disney Confluence server to steal information about their favorite game but wound up walking away with 2.5 GB of internal corporate data, BleepingComputer has learned.

Club Penguin was a multiplayer online game (MMO) from 2005 to 2018, featuring a virtual world where players could engage in games, activities, and chat with other players. The game was originally created by New Horizon Interactive, which Disney later purchased.

While Club Penguin was officially shut down in 2017, and its successor, Club Penguin Island, in 2018, the game continues to live on in private servers run by fans and independent developers. Though Disney pushed back on a more prominent 'Club Penguin Rewritten' remake, causing its operators to be arrested, private servers continue to this day with thousands of players.

Club Penguin fans hack Disney​

This week, an anonymous person uploaded a link to "Internal Club Penguin PDFs" on the 4Chan message board with the simple statement, "I no longer need these :)."

The link goes to a 415 MB archive containing 137 PDFs that contain old internal information about Club Penguin, including emails, design schematics, documentation, and character sheets. All of this data is seven years old, if not older, making it only interesting to fans of the game.

leepingComputer has since learned that Club Penguin data is only a small part of a much larger data set stolen from Disney's Confluence server, which stores documentation for various business, software, and IT projects used internally by Disney.

According to an anonymous source, Disney's Confluence servers were breached using previously exposed credentials.

The source says that the threat actors were initially looking for Club Penguin data; they wound up downloading 2.5 GB of data about Disney's corporate strategies, advertising plans, Disney+, internal developer tools, business projects, and internal infrastructure.

"Lot more files here including internal api endpoints and credentials for things like S3 buckets," an anonymous source told BleepingComputer.

The data, seen by BleepingComputer, includes documentation on a wide variety of initiatives and projects, as well as information on internal developer tools named Helios and Communicore, which have not previously been disclosed publicly.

CommuniCore is a "high-performance asynchronous messaging library, aimed at use in distributed applications."

Helios is a show authoring and playback tool that allows Disney producers and authors to create interactive non-linear "experiences" using real world inputs from sensors in Disney's parks.

Strewn across the documents are links to internal websites used by Disney developers, which could be valuable for threat actors who wish to target the company.

While the Club Penguin data is fairly old, the rest of the data circulating on Discord is far newer, with information from 2024.

BleepingComputer was told that the original Club Penguin PDFs shared on 4Chan were stolen weeks ago. However, the Disney corporate data appears to have been downloaded much sooner, as they contain the following text, "Document generated by Confluence on Jun 01, 2024 21:59."

BleepingComputer contacted Disney multiple times with information and questions about the breach but has yet to receive a reply.[/quote]
 
Dedicated autists should try and find the data before its gone.
One question, because I unironically don't know. What's the legality of posting hacked stuff? I remember Null banning and deleting DSP hacked credit info. But I also know that there are journalistic protections for leaked info that was hacked. Is the hacker the only one on the hook?
 
One question, because I unironically don't know. What's the legality of posting hacked stuff? I remember Null banning and deleting DSP hacked credit info. But I also know that there are journalistic protections for leaked info that was hacked. Is the hacker the only one on the hook?
Short answer is it depends. Long answer is once the stuff is out there, its out there.
 
The only comment on the article is interesting:
PENGY.png
 
Nothing to expect from Disney employees' negligence from higher-ups and shitty work ethics. Disney has since consistently nosediving the same path over and over again, so nothing special, but this is pretty intriguing from a former employee to leak data on a site for nobodies but retards. Bad idea for him/her to leak it on 4chan instead of a better alternative. Disney has girlbossed way too far to the sun.
 
I'm pretty sure I've found the original thread. (A) In said thread, there are two gofile links (Archive 1) (Archive 2). There is also this link, but it's personally not working for me.

Edit: I've found another thread. (A) It has more links, of which I'll list below:

https://sendgb.com/Vn0UrSdTMNu (A)
https://sendgb.com/uDJkRhevWQI (A) (this is the sendgb link from the other thread but it actually works)
https://sendgb.com/Xk42DMYIbsW (A)
https://sendgb.com/TvZCWixjuPr (A)
https://sendgb.com/IDUAYCnLNcK (A) (this appears to be the same zip from the first link that appeared in the other thread)
https://gofile.io/d/q9WvKO (A)
 
Last edited:
One question, because I unironically don't know. What's the legality of posting hacked stuff? I remember Null banning and deleting DSP hacked credit info. But I also know that there are journalistic protections for leaked info that was hacked. Is the hacker the only one on the hook?
Very illegal. Leaking confidential information is bad enough, but posting hacked stuff is far worse since the information was illegally acquired.
 
Quickly skimming through everything, the internal emails are interesting, along with the ban list. The character cards are probably interesting to people who care about Club Penguin. There's some abandoned kingdom hearts mobile game mentioned. It almost feels like they expected their club penguin mobile spinoff to fail.

I don't understand what the purpose of this is. Does Anyone still care about Club Penguin?
Club Penguin revival servers still have thousands of active players. Until they get shut down.
 
Quickly skimming through everything, the internal emails are interesting, along with the ban list. The character cards are probably interesting to people who care about Club Penguin. There's some abandoned kingdom hearts mobile game mentioned. It almost feels like they expected their club penguin mobile spinoff to fail.


Club Penguin revival servers still have thousands of active players. Until they get shut down.
I would only assume that any fully grown adults who are desperate to play Club Penguin are either pedophiles or losers with very extreme cases of arrested development.
 
I would only assume that any fully grown adults who are desperate to play Club Penguin are either pedophiles or losers with very extreme cases of arrested development.
Yes but Disney bought the favored thing of those manchildren and then euthanized it. Just a pointlessly despotic move that annoyed people and now there's repercussions.
 
Back