Neopets hit by data breach, potentially putting millions of users at risk

(Image credit: Neopets)

Neopets, a website where people own virtual pets, play games and trade pet-related items, has had its user database stolen.

In a short Twitter thread, the site confirmed the breach, explaining it has notified the police and brought in a “leading forensics firm” to address the issue. 

“It appears that email addresses and passwords used to access Neopets accounts may have been affected. We strongly recommend that you change your Neopets password. If you use the same password on other websites, we recommend that you also change those passwords," the thread states.

Ongoing incident

However, this seems to be an ongoing breach, caused by a vulnerability that likely has not yet been patched. As such, users could be asked to change their passwords again, after parent company TNT plugs the security hole.

“As per TNT's suggestions, we recommend you update your password (via "My Profile"). However, since TNT has not confirmed that the vulnerability has been patched, be prepared to change it again once we get the all clear,” advises a post on Jellyneo, a popular Neopets help site.

This site was also the one to share more details on the hack. Allegedly, data on more than 69 million users was compromised, including plenty of sensitive and personally identifiable information, such as email addresses, passwords, genders, IP addresses, countries, as well as birthdays - all the ingredients necessary for identity theft.

The entire database has allegedly been put up for sale on the black market, for a total of four bitcoin, which is worth roughly $91,500 at press time. The seller also claims the buyer can get live access to the database, for an extra fee. 

TNT is yet to confirm whether the site’s payment methods were compromised. Although Jellyneo says “we don’t believe payment methods were breached”, an official confirmation is missing. 

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.