A virtual pet website called Neopets, whose clients are mainly children, exposed sensitive client data online. The exposed data includes personally identifying user information as well as credentials to company databases and employee emails. The incident’s cause appears to stem from a misconfigured server, which places Neopets in possible breach of children privacy laws.
Neopets is a virtual pet website whose users are mainly children. It allows its users to care for digital pets called Neopets and explore the virtual world of Neopia. Users can also buy virtual items for their digital pets using Neopoints or Neocash. The website mixes creature collection and battling games with social elements.
Neopets was first launched in late 1999 by two independent developers, Adam Powell and Donna Williams. The website quickly became a worldwide sensation and was extremely popular in the early 2000s. Neopets was eventually bought by Viacom for $160 million in 2005. Then in 2014, Viacom sold Neopets to JumpStart Games for an undisclosed amount of money. Neopets is now owned by the Chinese company NetDragon, who acquired JumpStart Games in 2017.
Today, Neopets is no longer the online phenomenon it once was, but it still persists. Many thought the website would shut down this year due to Adobe Flash Player’s end-of-life. Neopets was largely built using Adobe Flash. However, the team behind the long running website have decided to transition from Flash to HTML5 and keep the website running. In the future, Neopets is looking to bring out a mobile version of the website. There is also a Neopets animated series in the pipeline.
PII Data Exposed and More
An independent researcher, John Jackson, recently noticed Neopets accounts for sale on an online dark web forum. This led Jackson to scan the Neopets website using forensic tools. The scan revealed a subdomain that exposed the website’s codebase and its data.
Then, with the help of security researcher Nick Sahler, Jackson found he was able to download the website’s entire codebase. This gave the two researchers access to data such as database credentials and employee emails. They were also able to access user IP addresses and their private code repositories.
Speaking to The Security Ledger, Jackson said “This is extremely bad because even though we didn’t attempt to access PII [Personally Identifying Information], with these codebases we can undoubtedly do so.”
Jackson and Sahler were also able to access IP address information pertaining to the company’s internal devices and the logic behind the entire Neopets application.
Misconfigured Server at Fault
According to Jackson, the current issue appears to stem from a misconfigured Apache web server. Misconfigured servers are frequently the source of security breaches, regardless whether they are hosted inhouse or by a third party. This year, for example, there have been a spate of security breaches involving misconfigured elasticsearch servers. Companies like Microsoft, Wyze and Honda all exposed sensitive consumer data through elasticsearch server misconfigurations.
As for Neopets, this is not the first time the company has exposed user data. In 2016, the company suffered a breach during which data belonging to some 27 million users was leaked. In the 2016 incident, data such as usernames, passwords, IP addresses and other PII user data was leaked to third parties.
Neopets in Possible Breach of Children Privacy Laws
The breach could spell trouble for Neopets as companies managing children data are required to meet stringent children privacy laws. These laws govern what data can be collected from children and its management. They also specify what content can be delivered to children, as well as the amount and type of advertising allowed.
In the US, companies dealing with children data need to ensure they don’t violate America’s federal Children’s Online Privacy Protection Act (COPPA). The UK has similar children privacy laws contained within their Data Protection Act. The EU’s General Data Protection Regulation (GDPR) also contains specific laws regarding children’s data. Neopets has users worldwide. Consequently, by exposing children’s data, it could find itself in violation of all these acts and regulations.
Moreover, the fines for violating children privacy laws are not insignificant. For example, in September 2019, Google and its subsidiary YouTube were required to pay a $170 million fine for violating COPPA. Then in September a year later, YouTube faced charges in the UK for violating UK and EU children privacy laws. The UK lawsuit sought damages in excess of £2.5 billion from the Google owned company.