Data on 69 million Neopets users stolen and listed for sale on hacker forum
Email addresses, passwords, and zip codes are all thought to have been stolen by the hacker
Neopets, a site that allows users to collect digital pets and trade pet-related items, has been hit by a data breach that's thought to have affected around 69 million users.
Sensitive information such as email addresses, passwords, country, zip code, gender, and birthdays are all included in the leaked database.
A hacking forum user named ‘TarTarX’ was spotted advertising the entire database in exchange for 4 bitcoins (approximately $90,000 at time of writing), as first reported by BleepingComputer.
The owner of the hacking forum Breached.co, a user named ‘pompompurin’, verified the claims by creating a new account and asking for its details, which TarTarX was able to produce, according to the report.
The hacker indicated that they have not sought a ransom from Neopet owner JumpStart Games, instead seeking to sell to interested parties through their forum post. The precise methodology of the breach is still unknown.
Addressing the issue on Twitter, the company stated:
“Neopets recently became aware that customer data may have been stolen. We immediately launched an investigation assisted by a leading forensics firm. We are also engaging law enforcement and enhancing the protections for our systems and our user data.”
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
The breach is the latest development in a history of similar events for Neopets, which was launched in 1999. In 2016, it was reported that the company database had been breached as early as 2012, leaking 70 million records. It was also alleged at the time that these passwords had been stored in plain text.
Neopets recently announced their own range of NFTs, to be used in an as-yet-unreleased Neopets Metaverse game. Users can already earn currency known as Neopoints on the website, to be spent on items. There is also Neocash, a currency used to buy special items, which has a chance to be won from games or can be bought by users at a rate of 100NC per $1.
“Once again, this story is a perfect illustration of why patching vulnerabilities is the most important thing any business can do to protect itself,” said Jamie Akhtar, CEO and co-founder of cyber security firm CyberSmart.
“While we don’t know the details of the breach, it’s likely that had Neopets carried out regular vulnerability testing and released regular patches to customers this could have been avoided. However, in the meantime, we would echo the advice of Neopets that customers should change their passwords as a matter of urgency.
“And, avoid using anything too similar to the original, now the hackers have the information it’s very easy for them to try multiple combinations until they gain access to accounts.”
Data breaches are an ever-present threat to organisations, including universities and recently even a Shanghai police database containing information on over a billion Chinese citizens.
IT Pro has contacted JumpStart Games for comment.
Rory Bathgate is Features and Multimedia Editor at ITPro, overseeing all in-depth content and case studies. He can also be found co-hosting the ITPro Podcast with Jane McCallion, swapping a keyboard for a microphone to discuss the latest learnings with thought leaders from across the tech sector.
In his free time, Rory enjoys photography, video editing, and good science fiction. After graduating from the University of Kent with a BA in English and American Literature, Rory undertook an MA in Eighteenth-Century Studies at King’s College London. He joined ITPro in 2022 as a graduate, following four years in student journalism. You can contact Rory at rory.bathgate@futurenet.com or on LinkedIn.