Data on 69 million Neopets users stolen and listed for sale on hacker forum

Email addresses, passwords, and zip codes are all thought to have been stolen by the hacker
Image: Getty via Denis

21 July 2022

Neopets, a site that allows users to collect digital pets and trade pet-related items, has been hit by a data breach that’s thought to have affected around 69 million users.

Sensitive information such as email addresses, passwords, country, zip code, gender, and birthdays are all included in the leaked database.

A hacking forum user named ‘TarTarX’ was spotted advertising the entire database in exchange for 4 bitcoins (approximately $90,000 at time of writing), as first reported by BleepingComputer.

The owner of the hacking forum, a user named ‘pompompurin’, verified the claims by creating a new account and asking for its details, which TarTarX was able to produce, according to the report.

The hacker indicated that they have not sought a ransom from Neopet owner JumpStart Games, instead seeking to sell to interested parties through their forum post. The precise methodology of the breach is still unknown.

Addressing the issue on Twitter, the company stated:

“Neopets recently became aware that customer data may have been stolen. We immediately launched an investigation assisted by a leading forensics firm. We are also engaging law enforcement and enhancing the protections for our systems and our user data.”

The breach is the latest development in a history of similar events for Neopets, which was launched in 1999. In 2016, it was reported that the company database had been breached as early as 2012, leaking 70 million records. It was also alleged at the time that these passwords had been stored in plain text.

Neopets recently announced their own range of NFTs, to be used in an as-yet-unreleased Neopets Metaverse game. Users can already earn currency known as Neopoints on the website, to be spent on items. There is also Neocash, a currency used to buy special items, which has a chance to be won from games or can be bought by users at a rate of 100NC per $1.

“Once again, this story is a perfect illustration of why patching vulnerabilities is the most important thing any business can do to protect itself,” said Jamie Akhtar, CEO and co-founder of cyber security firm CyberSmart.

“While we don’t know the details of the breach, it’s likely that had Neopets carried out regular vulnerability testing and released regular patches to customers this could have been avoided. However, in the meantime, we would echo the advice of Neopets that customers should change their passwords as a matter of urgency.

“And, avoid using anything too similar to the original, now the hackers have the information it’s very easy for them to try multiple combinations until they gain access to accounts.”

Future Publishing

Read More:

Back to Top ↑