IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Data on 69 million Neopets users stolen and listed for sale on hacker forum

Email addresses, passwords, and zip codes are all thought to have been stolen by the hacker

A woman sketching cartoon characters using a tablet while looking at a second monitor

Neopets, a site that allows users to collect digital pets and trade pet-related items, has been hit by a data breach that's thought to have affected around 69 million users.

Sensitive information such as email addresses, passwords, country, zip code, gender, and birthdays are all included in the leaked database.

A hacking forum user named ‘TarTarX’ was spotted advertising the entire database in exchange for 4 bitcoins (approximately $90,000 at time of writing), as first reported by BleepingComputer.

The owner of the hacking forum Breached.co, a user named ‘pompompurin’, verified the claims by creating a new account and asking for its details, which TarTarX was able to produce, according to the report.

The hacker indicated that they have not sought a ransom from Neopet owner JumpStart Games, instead seeking to sell to interested parties through their forum post. The precise methodology of the breach is still unknown.

Addressing the issue on Twitter, the company stated:

“Neopets recently became aware that customer data may have been stolen. We immediately launched an investigation assisted by a leading forensics firm. We are also engaging law enforcement and enhancing the protections for our systems and our user data.”

Related Resource

Unified endpoint management solutions 2021-22

Analysing the UEM landscape

Whitepaper cover with title on shaded pink/purple backgroundFree Download

The breach is the latest development in a history of similar events for Neopets, which was launched in 1999. In 2016, it was reported that the company database had been breached as early as 2012, leaking 70 million records. It was also alleged at the time that these passwords had been stored in plain text.

Neopets recently announced their own range of NFTs, to be used in an as-yet-unreleased Neopets Metaverse game. Users can already earn currency known as Neopoints on the website, to be spent on items. There is also Neocash, a currency used to buy special items, which has a chance to be won from games or can be bought by users at a rate of 100NC per $1.

“Once again, this story is a perfect illustration of why patching vulnerabilities is the most important thing any business can do to protect itself,” said Jamie Akhtar, CEO and co-founder of cyber security firm CyberSmart.

“While we don’t know the details of the breach, it’s likely that had Neopets carried out regular vulnerability testing and released regular patches to customers this could have been avoided. However, in the meantime, we would echo the advice of Neopets that customers should change their passwords as a matter of urgency.

“And, avoid using anything too similar to the original, now the hackers have the information it’s very easy for them to try multiple combinations until they gain access to accounts.”

Data breaches are an ever-present threat to organisations, including universities and recently even a Shanghai police database containing information on over a billion Chinese citizens.

IT Pro has contacted JumpStart Games for comment.

Featured Resources

The Total Economic Impact™ Of Turbonomic Application Resource Management for IBM Cloud® Paks

Business benefits and cost savings enabled by IBM Turbonomic Application Resource Management

Free Download

The Total Economic Impact™ of IBM Watson Assistant

Cost savings and business benefits enabled by Watson Assistant

Free Download

The field guide to application modernisation

Moving forward with your enterprise application portfolio

Free Download

AI for customer service

Discover the industry-leading AI platform that customers and employees want to use

Free Download

Recommended

Twilio account breach result of sophisticated social engineering campaign
Security

Twilio account breach result of sophisticated social engineering campaign

9 Aug 2022
Over 200,000 DrayTek routers vulnerable to total device takeover
Security

Over 200,000 DrayTek routers vulnerable to total device takeover

3 Aug 2022
HackerOne employee fired for using position to steal bug bounties
Security

HackerOne employee fired for using position to steal bug bounties

4 Jul 2022
LockBit 2.0 ransomware disguised as PDFs distributed in email attacks
Security

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks

27 Jun 2022

Most Popular

Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
Google is now spending a staggering amount on blockchain
Business strategy

Google is now spending a staggering amount on blockchain

17 Aug 2022
UK water supplier confirms hack by Cl0p ransomware gang
ransomware

UK water supplier confirms hack by Cl0p ransomware gang

16 Aug 2022