Club Penguin Rewritten, an unauthorized fan recreation of Disney's Club Penguin game, suffered a data breach in January 2018. The incident exposed roughly 1.7 million unique email addresses tied to player accounts, alongside usernames, IP addresses, and passwords stored as bcrypt hashes.\n\nThe site was an independent project not affiliated with Disney, run by fans on the cprewritten.net domain. When contacted at the time, the team confirmed they were aware of the breach and stated that affected users had been notified. Bcrypt is a strong password-hashing algorithm, which limits the immediate risk of password recovery, but credential reuse across other services remains a concern.\n\nThe user base of Club Penguin Rewritten included a significant share of children under the age of thirteen, since the game was designed for and marketed to young players. That makes the breach particularly sensitive. The combination of email, username, and IP address can support credential stuffing, account takeover at other gaming or social services, and targeted contact attempts. Parents whose children registered at the site should rotate any reused passwords and remain alert to phishing aimed at young account holders.

Fan-run online gaming communities collect user accounts, usernames, emails, passwords, IP addresses, and in-game or community activity tied to multiplayer participation.

The fan game was shut down in April 2022 after Disney filed a copyright complaint and the City of London Police's Intellectual Property Crime Unit seized the website. Three individuals associated with the project were arrested on suspicion of distributing material infringing copyright. The cprewritten.net domain was placed under police control, and the project's Discord server, which had over 140,000 members, was wiped at the same time. The site has remained offline since. Various other fan recreations have appeared in its absence, but none under the Club Penguin Rewritten name.