Club Penguin Rewritten 2018 Data Breach

Club Penguin Rewritten Fan Game Breach (2018): 1.7 Million Young Player Accounts Including Passwords Exposed | ObscureIQ
ObscureIQ Breach Intelligence

Classification Tags

MisconfigurationChildenEmail AddressIP AddressPasswordUsername
High SeverityWebsite / service breach

Club Penguin Rewritten Fan Game Breach (2018): 1.7 Million Young Player Accounts Including Passwords Exposed

Fan-made recreation of Club Penguin game.

Verified by ObscureIQ Intelligence
67/100Breach Risk Index
40Data Value
25Market Recency
419dSince Breach

Breach Intelligence Summary

Entity: Club Penguin Rewritten · Actor: Unknown · Sources: 3 references
Attack: Misconfiguration
Profile: Community · Online multiplayer game recreation · Fan-run gaming platform · Global
Timeline: Breach (2018-01-21) · Indexed (Mar 04, 2025) · Year (2018)
Exposure: 1.7M records · 4 fields: Email Address, IP Address, Password, Username
Status: Reported

Executive Summary

Club Penguin Rewritten, an unauthorized fan recreation of Disney's Club Penguin game, suffered a data breach in January 2018. The incident exposed roughly 1.7 million unique email addresses tied to player accounts, alongside usernames, IP addresses, and passwords stored as bcrypt hashes.\n\nThe site was an independent project not affiliated with Disney, run by fans on the cprewritten.net domain. When contacted at the time, the team confirmed they were aware of the breach and stated that affected users had been notified. Bcrypt is a strong password-hashing algorithm, which limits the immediate risk of password recovery, but credential reuse across other services remains a concern.\n\nThe user base of Club Penguin Rewritten included a significant share of children under the age of thirteen, since the game was designed for and marketed to young players. That makes the breach particularly sensitive. The combination of email, username, and IP address can support credential stuffing, account takeover at other gaming or social services, and targeted contact attempts. Parents whose children registered at the site should rotate any reused passwords and remain alert to phishing aimed at young account holders.

ObscureIQ assessment: Primary risks include account takeover, password reuse, and harassment. Because the user base may include minors or young users, identity and safety risks are elevated.

Breach Impact

The 2018 incident generated little direct cost to Club Penguin Rewritten as an operation, since the project was an unauthorized fan recreation rather than a licensed business with formal compliance obligations. There was no regulatory action tied to the breach, no public class-action filing, and no settlement. The site continued to operate for four more years before its 2022 takedown by Disney and UK police. The breach's longer-term significance is reputational: it sits alongside a larger 2019 incident at the same site as evidence that fan-run children's gaming platforms typically lacked the moderation, safety, and security investment of licensed equivalents.

About Club Penguin Rewritten

Club Penguin Rewritten was a fan-run online recreation of Disney's original Club Penguin multiplayer game, operating at cprewritten.net from around 2017 to 2022. The site was an unauthorized recreation produced and maintained by independent fans rather than Disney, and it functioned as a free-to-play web game with player avatars, in-game chat, and persistent accounts. Its user base was global and skewed young, with a substantial share of players under the age of thirteen. At its peak during the pandemic, the site reportedly added tens of thousands of new accounts a day.

Why They Hold Your Data

Fan-run online gaming communities collect user accounts, usernames, emails, passwords, IP addresses, and in-game or community activity tied to multiplayer participation.

Recent Developments

The fan game was shut down in April 2022 after Disney filed a copyright complaint and the City of London Police's Intellectual Property Crime Unit seized the website. Three individuals associated with the project were arrested on suspicion of distributing material infringing copyright. The cprewritten.net domain was placed under police control, and the project's Discord server, which had over 140,000 members, was wiped at the same time. The site has remained offline since. Various other fan recreations have appeared in its absence, but none under the Club Penguin Rewritten name.

Data Points Exposed

4 verified field types
Email Address
IP Address
Password Critical
Username

Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.

Exploitation & Downstream Threats

Threat Activity:High
Primary downstream threats:
  • Credential stuffing against reused passwords across other platforms
  • Targeted phishing campaigns using exposed email addresses
Threat vectors:
  • Phishing, credential stuffing & account takeover
  • Geolocation & account flagging
  • Credential stuffing & account takeover
  • Cross-platform tracking & credential stuffing

Recommended Actions

If you believe your information may be included:

Change Reused Passwords
Update this account and anywhere you reused the password; use a manager.
Password manager guide
Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Find 2FA settings
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.
IdentityTheft.govReport to FTC

Frequently Asked Questions

What happened in the Club Penguin Rewritten breach?

Club Penguin Rewritten, an unauthorized fan recreation of Disney's Club Penguin game, suffered a data breach in January 2018. The incident exposed roughly 1.7 million unique email addresses tied to player accounts, alongside usernames, IP addresses, and passwords stored as bcrypt hashes.\n\nThe…

What data was exposed?

Verified fields include Email Address, IP Address, Password, Username.

What should I do if I was affected?

Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.

Sources & References

Every claim on this page is traceable. This breach draws on:

Breach Index
DataBreach.com
Record & field corroboration
Breach Index
Have I Been Pwned
Record & field corroboration
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Risk Index scoring & downstream-threat assessment

Protect Yourself

Check If You're Affected

Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.

Get Free Breach Alerts

Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.

High-Risk? Get an Exposure Audit

Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.

Request Consultation