Membership Penguin followers hacked a Disney Confluence server to steal details about their favourite sport however wound up strolling away with 2.5 GB of inside company information, BleepingComputer has realized.
Membership Penguin was a multiplayer on-line sport (MMO) from 2005 to 2018, that includes a digital world the place gamers might have interaction in video games, actions, and chat with different gamers. The sport was initially created by New Horizon Interactive, which Disney later bought.
Whereas Membership Penguin was formally shut down in 2017, and its successor, Membership Penguin Island, in 2018, the sport continues to dwell on in non-public servers run by followers and impartial builders. Although Disney pushed again on a extra outstanding ‘Membership Penguin Rewritten’ remake, inflicting its operators to be arrested, non-public servers proceed to this present day with hundreds of gamers.
Membership Penguin followers hack Disney
This week, an nameless individual uploaded a hyperlink to “Inner Membership Penguin PDFs” on the 4Chan message board with the straightforward assertion, “I not want these :).”
The hyperlink goes to a 415 MB archive containing 137 PDFs that include outdated inside details about Membership Penguin, together with emails, design schematics, documentation, and character sheets. All of this information is seven years outdated, if not older, making it solely attention-grabbing to followers of the sport.
BleepingComputer has since realized that Membership Penguin information is barely a small a part of a a lot bigger information set stolen from Disney’s Confluence server, which shops documentation for numerous enterprise, software program, and IT tasks used internally by Disney.
In keeping with an nameless supply, Disney’s Confluence servers have been breached utilizing beforehand uncovered credentials.
The supply says that the menace actors have been initially on the lookout for Membership Penguin information; they wound up downloading 2.5 GB of knowledge about Disney’s company methods, promoting plans, Disney+, inside developer instruments, enterprise tasks, and inside infrastructure.
“Lot extra recordsdata right here together with inside api endpoints and credentials for issues like S3 buckets,” an nameless supply informed BleepingComputer.
The information, seen by BleepingComputer, consists of documentation on all kinds of initiatives and tasks, in addition to data on inside developer instruments named Helios and Communicore, which haven’t beforehand been disclosed publicly.
CommuniCore is a “high-performance asynchronous messaging library, geared toward use in distributed purposes.”
Helios is a present authoring and playback software that permits Disney producers and authors to create interactive non-linear “experiences” utilizing actual world inputs from sensors in Disney’s parks.
Strewn throughout the paperwork are hyperlinks to inside web sites utilized by Disney builders, which could possibly be helpful for menace actors who want to goal the corporate.
Whereas the Membership Penguin information is pretty outdated, the remainder of the information circulating on Discord is much newer, with data from 2024.
BleepingComputer was informed that the unique Membership Penguin PDFs shared on 4Chan have been stolen weeks in the past. Nevertheless, the Disney company information seems to have been downloaded a lot sooner, as they include the next textual content, “Doc generated by Confluence on Jun 01, 2024 21:59.”
BleepingComputer contacted Disney a number of occasions with data and questions in regards to the breach however has but to obtain a reply.
