The Club Penguin Experience (TCPE), a fan-run revival of the discontinued Disney Club Penguin online game, suffered a data breach on October 14, 2024. The specific vulnerability that enabled the compromise has not been publicly detailed by TCPE. The platform sent prompt disclosure notices to impacted subscribers following the breach, which was indexed by Have I Been Pwned on October 26, 2024.

The breach affected approximately 6,342 user accounts based on records indexed by breach-tracking services. Compromised fields included email addresses, usernames, age group categorizations, and passwords stored as bcrypt hashes. Critically, the breach also included plaintext password hints that some users had set for password recovery, which can be more revealing of the underlying password value than the hash itself, particularly for users who chose hints that closely described or hinted at their actual password. Bcrypt password storage represents modern cryptographic practice and provides meaningful resistance to brute-force cracking, but the inclusion of plaintext password hints partially undermines this protection by potentially providing direct clues to the underlying credential.

For affected users and the parents and guardians of any minors whose accounts may have been included, the practical risk profile combines credential-reuse exposure with child-safety concerns. The combination of email address and bcrypt-hashed password creates credential-stuffing risk on other platforms where users may have reused the same password, with the password hints providing additional support for targeted password-guessing attempts. The exposure of age group data combined with email address creates targeting risk for content directed at younger audiences, including phishing or social-engineering attempts that reference the Club Penguin community. Parents and guardians should change any reused passwords for the child or family member, enable two-factor authentication on related accounts where available, and remain alert to phishing attempts referencing TCPE or related Club Penguin properties. Affected users who received TCPE's disclosure notice should treat any credentials used on the platform as fully compromised across all uses.

Children’s game-remake communities collect user accounts, emails, usernames, and gameplay or forum activity tied to youth-oriented multiplayer participation.

TCPE responded to the October 2024 breach with prompt disclosure to affected users, which is notable for a fan-run gaming community and stands in contrast to the limited or delayed disclosures common in the broader fan-game sector. Following the breach, TCPE issued direct notifications to impacted subscribers and the breach was indexed by Have I Been Pwned on October 26, 2024. The platform has continued to operate following the disclosure. The case has been cited in fan-game cybersecurity discussions as a positive example of disclosure practice despite the small scale of the platform and the absence of formal regulatory obligations of the kind that apply to commercial children's services.