IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Data on 69 million Neopets users stolen and listed for sale on hacker forum

Email addresses, passwords, and zip codes are all thought to have been stolen by the hacker

A woman sketching cartoon characters using a tablet while looking at a second monitor

Neopets, a site that allows users to collect digital pets and trade pet-related items, has been hit by a data breach that's thought to have affected around 69 million users.

Sensitive information such as email addresses, passwords, country, zip code, gender, and birthdays are all included in the leaked database.

A hacking forum user named ‘TarTarX’ was spotted advertising the entire database in exchange for 4 bitcoins (approximately $90,000 at time of writing), as first reported by BleepingComputer.

The owner of the hacking forum Breached.co, a user named ‘pompompurin’, verified the claims by creating a new account and asking for its details, which TarTarX was able to produce, according to the report.

The hacker indicated that they have not sought a ransom from Neopet owner JumpStart Games, instead seeking to sell to interested parties through their forum post. The precise methodology of the breach is still unknown.

Addressing the issue on Twitter, the company stated:

“Neopets recently became aware that customer data may have been stolen. We immediately launched an investigation assisted by a leading forensics firm. We are also engaging law enforcement and enhancing the protections for our systems and our user data.”

Related Resource

Unified endpoint management solutions 2021-22

Analysing the UEM landscape

Whitepaper cover with title on shaded pink/purple backgroundFree Download

The breach is the latest development in a history of similar events for Neopets, which was launched in 1999. In 2016, it was reported that the company database had been breached as early as 2012, leaking 70 million records. It was also alleged at the time that these passwords had been stored in plain text.

Neopets recently announced their own range of NFTs, to be used in an as-yet-unreleased Neopets Metaverse game. Users can already earn currency known as Neopoints on the website, to be spent on items. There is also Neocash, a currency used to buy special items, which has a chance to be won from games or can be bought by users at a rate of 100NC per $1.

“Once again, this story is a perfect illustration of why patching vulnerabilities is the most important thing any business can do to protect itself,” said Jamie Akhtar, CEO and co-founder of cyber security firm CyberSmart.

“While we don’t know the details of the breach, it’s likely that had Neopets carried out regular vulnerability testing and released regular patches to customers this could have been avoided. However, in the meantime, we would echo the advice of Neopets that customers should change their passwords as a matter of urgency.

“And, avoid using anything too similar to the original, now the hackers have the information it’s very easy for them to try multiple combinations until they gain access to accounts.”

Data breaches are an ever-present threat to organisations, including universities and recently even a Shanghai police database containing information on over a billion Chinese citizens.

IT Pro has contacted JumpStart Games for comment.

Featured Resources

Big data for finance

How to leverage big data analytics and AI in the finance sector

Free Download

Ten critical factors for cloud analytics success

Cloud-native, intelligent, and automated data management strategies to accelerate time to value and ROI

Free Download

Remove barriers and reconnect with your customers

The $260 billion dollar friction problem businesses don't know they have

Free Download

The future of work is already here. Now’s the time to secure it.

Robust security to protect and enable your business

Free Download

Recommended

Escape the ransomware maze
Whitepaper

Escape the ransomware maze

23 Aug 2022
Twilio account breach result of sophisticated social engineering campaign
Security

Twilio account breach result of sophisticated social engineering campaign

9 Aug 2022
Over 200,000 DrayTek routers vulnerable to total device takeover
Security

Over 200,000 DrayTek routers vulnerable to total device takeover

3 Aug 2022
HackerOne employee fired for using position to steal bug bounties
Security

HackerOne employee fired for using position to steal bug bounties

4 Jul 2022

Most Popular

How to secure your hybrid workforce
Advertisement Feature

How to secure your hybrid workforce

23 Sep 2022
What your hybrid workforce needs from their laptops
Advertisement Feature

What your hybrid workforce needs from their laptops

21 Sep 2022
Why collaboration is key to digital transformation
Sponsored

Why collaboration is key to digital transformation

13 Sep 2022