Neopets has released details about the recently disclosed data breach incident that exposed personal information of more than 69 million members.
Findings of the investigation launched on July 20, 2022 revealed that attackers had access to the Neopets IT systems from January 3, 2021 until July 19, 2022.
The company learned about the breach only after a hacker offered to sell a Neopets database for four bitcoins.
The hacker claimed the database contained 460MB of source code and sensitive personal information for 69 million members.
An update from the company on Monday confirmed the hacker’s claims, saying:
“We have determined that for past and present Neopets players, affected information may include the data provided when registering for or playing Neopets, including name, email address, username, date of birth, gender, IP address, Neopets PIN, hashed password, as well as data about a player’s pet, game play, and other information provided to Neopets.”
“For players that played prior to 2015, the information also could have included non-hashed, but inactive, passwords,” the company added.
Responding to the situation
Neopets has taken a series of measures to improve their systems’ security and to minimize the impact future incidents would have on the players.
The company says that it enhanced network monitoring to catch threats earlier and strengthened the authentication schemes for better account access protection.
Passwords have now been reset and Neopets is now working on implementing multi-factor authentication as an added defense layer.
Finally, the announcement recommends that all Neopets players change their passwords if they’re recycling them for other online platforms or services.
Neopets players should remain vigilant for emails that urge them to take immediate action or ask them to provide sensitive information, such as that related to banking accounts.