A hacker claims to have stolen information from Neopets, the long-running virtual pet website, affecting 69 million users of the service.
The hack was confirmed by posts from the official Neopets Twitter and Instagram accounts on July 20th, with a tweet informing the public that the company “recently became aware that customer data may have been stolen” and had hired a forensic firm to investigate. The social media posts did not give further information about the scope of the hack but suggested that all site users change their passwords as a precaution.
Neopets recently became aware that customer data may have been stolen. We immediately launched an investigation assisted by a leading forensics firm. We are also engaging law enforcement and enhancing the protections for our systems and our user data. (1/3)
— neopets (@Neopets) July 21, 2022
According to details reported by BleepingComputer, a hacker named TarTarX began to offer data for sale on a hacking forum on Tuesday. The hacker was reportedly soliciting a price of 4 Bitcoins for the data, equivalent to roughly $90,500.
Details of a database schema shared by the hacker suggest that the stolen data includes not only usernames, emails and passwords but also users’ date of birth, zip code, gender, and country — compounding the chance that it could be used to phish or otherwise defraud users in the wrong hands.
The forum post made by the hacker also claims that they continue to be able to access the live version of the Neopets site database — a fact BleepingComputer reports as being confirmed by the owner of the hacking forum where the data was posted. If true, this suggests that even the precautionary measures advised by Neopets would be insufficient to protect a user’s account from unauthorized access.
First launched in 1999, the Neopets site has suffered from a number of security lapses in recent years, particularly after ownership changed hands from Viacom to JumpStart Games in 2014. In 2016, a similar data breach led to potentially tens of millions of users’ details being stolen and traded on hacking forums. And in 2020, security researchers discovered access to the site’s entire codebase being sold due to administrator credentials that had been written directly into sections of code discovered by hackers.
More recently, the Neopets franchise has event looked to pivot into the metaverse, turning its beloved characters into a line of NFTs. But the move was widely panned by fans, with the operators of one of the most popular fan sites describing it as a “cash grab.”
A request for comment sent to Neopets had not been answered by time of publication.