Phishing for teens in the Habbo Hotel


Teens just love using social networks for everything from posting naked photos online to wasting time during class at school. We also know that parents have little idea what teens get up to online but, it would appear, the teen online love affair has not gone unnoticed by young hackers who are actively targetting their fellow teenagers.

Researchers at the Imperva Application Defense Center have uncovered a new hack attack which specifically targets teens using the popular Habbo Hotel virtual world come social networking site. Since it launched in 2000, Habbo Hotel has gone on to see around 75,000 new avatars being registered daily and with monthly visitor totals of around 8 million uniques you can see why it might present an attractive target for hackers looking to spread malware or spam to a 'trusted' circle of freinds via compromised accounts.

According to Imperva ADC it was pretty easy to do the detective work that uncovered the Habbo Hotel attack. First researchers searched the T35 hosting site, favoured by certain hackers as it allows for PHP execution as well as providing sufficient free space for their nefarious purposes, using a simple filetype search for passwords stored as plain text at

This revealed a site, the URL of which I will not repeat here as it appears to still be up and running, containing a directory listing of thousands of Habbo Hotel users with data such as username, password, birthdate, email and snail mail details of both the user and their parents.

A little further digging found the alledged hacker behind the listing, openly bragging online about how the data was obtained courtesy of some simple phishing. Imperva says that the hacker had an Habbo account before being banned there by the name of chewingbum, and T35 also had a hosted site (since taken down) with the same name which acted as a phishing site for Habbo in the UK by tempting "the very young and innocent" to "give away their credentials for a promise of some game prizes".

Could it be that the people you might expect to be the savviest when it comes to online security, that is the generation that has known nothing other than a totally connected world and for whom social networking and virtual worlds are second nature, are actually more vulnerable to social engineering than you might think?

Member Avatar
Davey Winder

I've been a freelance word punk for more than two decades and for the last few years an Editorial Fellow at Dennis Publishing. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011. As well as working for DaniWeb I have been a Contributing Editor with PC Pro (the best selling IT magazine in the UK) for twenty years.


Thanks for sharing this article. This is horrifying.


Thanks so much for the tips, keep posting... :D

Isn't it about time forums rewarded their contributors?

Earn rewards points for helping others. Gain kudos. Cash out. Get better answers yourself.

It's as simple as contributing editorial or replying to discussions labeled or OP Kudos

This is an OP Kudos discussion and contributors may be rewarded
Start New Discussion
View similar articles that have also been tagged: