Virtual pet website Neopets has suffered a data breach leading to the theft of source code and a database containing the personal information of over 69 million members.
Neopets is a popular website where members can own, raise, and play games with their virtual pets. Neopets recently launched NFTs that will be used as part of an online Metaverse game.
On Tuesday, a hacker known as ‘TarTarX’ began selling the source code and database for the Neopets.com website for four bitcoins, worth approximately $94,000 at today’s prices..
In a conversation with BleepingComputer, TarTarX says that they stole the database and approximately 460MB (compressed) of source code for the neopets.com website.
The seller claims that this database contains the account information of over 69 million members, and in a screenshot shared with BleepingComputer, you can see the data includes members’ usernames, names, email addresses, zip code, date of birth, gender, country, an initial registration email, and other site/game-related information.
While the hacker would not reveal how they gained access to the website, they told us that they did not ransom the data to Jumpstart, the owners of Neopets, but have received interest from potential buyers.
At this time, BleepingComputer has not been able to independently verify the authenticity of the database. However, pompompurin, the owner of the Breached.co hacking forum, verified the hacker’s claims by registering an account on Neopets.com and being sent their newly created record from the database.
“Vouch, I registered an account on the website and he sent the full entry,” pompompurin posted to the Breached.co forums.
Furthermore, this verification showed that TarTarX continued to have access to the neopets.com site even as they began selling the data.
Breach is confirmed
After the news of the breach spread online, the Neopets team, designated by the TNT abbreviation, has confirmed on the unofficial Neopets Discord server that they are aware of the security incident and working on resolving it.
Volunteer Discord moderators are warning that changing passwords on Neopets may not help secure your account if the attackers still have access to their servers.
“We should note that the effectiveness of changing your Neopets password is currently debatable as long as hackers have live access to the database, as they can simply check what your new password is,” reads an announcement on the Neopets Discord server.
“We cannot therefore strictly advise you on the best course of action given the circumstances.”
However, if you use the same Neopets password on other sites, you are strongly advised to change your password on those sites to a different one.
For the latest updates on the data breach, Neopet members should monitor a topic on the Neopets Help Site Jelleyneo or the Jelleyneo Twitter account, where status updates will be posted as they become available.
This is not the first data breach for Neopets, with member data previously circulating online in 2016 from a breach that occured in 2012.
BleepingComputer has also contacted Jumpstart about the breach but has not received a reply at this time.
Update 7/20/22 11:07 PM EST: Clarified that the Discord server is an unofficial Neopets server and that the announcement was from volunteer moderators.