Neopets Suffers Data Breach, About 69 Million Users Affected

Neo Monster Character on a pink background

Neopets revealed on Thursday it may have been the victim of a data breach. The company made the statement after a hacker claimed to have stolen the “sensitive personal information” of up to 69 million users.

Neopets said it “appears” the leaked data includes users’ email addresses and passwords. However, the hacker, who made the revelation on a hacking forum, claims the stolen data includes birthdates and names, IP addresses, passwords, zip codes, and other information.

Neopets is a web service where users can grow and play with virtual pets. It is immensely popular and has been around since 1999. In October last year, the company announced that it was venturing into the NFT space.

Unfortunately, this is not the first time Neopets has suffered a major data breach. In 2016, the company revealed that a leak affected its entire user base—27 million users at the time. Neopets also suffered a breach in 2020, after a researcher found a listing of user accounts on a dark web forum.

Details of the Neopets Data Breach

On Tuesday, July 19, a hacker with the username “TarTarX” offered to sell the Neopets.com source code and a database of its users’ data for 4 BTC (approximately $90,000) on Breach Forums. TarTarX claims that the database contains the sensitive data of about 69 million Neopets users.

TarTarX told Bleeping Computer that they “stole the database and approximately 460MB (compressed) of source code for the neopets.com website.”

According to TarTarX, access to the database allows you to “modify data, credits or in-game pets, attributes…  EVERYTHING you want.”

They did not disclose how they breached Neopets, and it is unclear if the stolen data has been sold. However, potential buyers have shown interest in the listing.

Changing Passwords Is Potentially Ineffective

In a tweet confirming the breach, Neopets recommended that users change their passwords.

“If you use the same password on other websites, we recommend that you also change those passwords,” the company wrote.

However, this may not help users protect their accounts, according to the moderators of an unofficial Neopets Discord server. They explained that changing passwords may be ineffective if the hacker has live access to the website database, as they can see the new passwords.

Meanwhile, Neopets said it is looking into the incident with the help of a leading cyber forensics firm. The company also said it has informed law enforcement and is taking measures to enhance the security of its systems.

Data breaches of this nature open up the possibility of other cybercrime, such as phishing or identity theft. Leaked user data can also be used for credential stuffing attacks.

Cybercriminals are becoming more devious in their attempts to trick victims. Access to personal information, such as names, IP addresses, gender, and birthdates, allows threat actors to launch targeted cyberattacks and impersonate users to commit fraud.

To protect yourself from online threats, check out our article on the top cybersecurity tools.

Technology policy researcher
Prateek is a technology policy researcher with a background in law. His areas of interest include data protection, privacy, digital currencies, and digital literacy. Outside of his research interests, Prateek is an avid reader and is engaged in projects on sustainable farming practices in India.