Neopets disclosed Thursday that it might have been the victim in a data breach. After a hacker claimed that he had stolen “sensitive personal data” from up to 69,000,000 users, Neopets made this statement.
Neopets claimed that the stolen data included passwords and email addresses. The hacker who revealed the information on a hacking forum claimed that the stolen data included birthdates and their names as well as IP addresses, passwords and zip codes.
Neopets allows users to play and grow virtual pets through a website. This web service has been in existence since 1999 and is extremely popular. The company revealed that in October 2013, it would be entering the NFT area.
This isn't the first major data breach at Neopets. The company disclosed in 2016 that its entire userbase–27,000,000 at the time–had been affected by a data breach. Neopets was also affected by a leak in 2020 after an investigator discovered a list of accounts on a dark-web forum.
Information about the Neopets Data Breach
A hacker claiming to be TarTarX offered to sell Neopets.com's source code as well as a database of users' data, for $4 BTC, or approximately $90,000. TarTarX asserts that the data contains sensitive information for around 69 million Neopets members.
TarX stated to Bleeping Computer, that they had “taken the database and about 460MB of the source code for neopets.com.”
TarTarX explains that you can access the database to modify data, credits, in-game pets or attributes, and “everything you need.”
The breach of Neopets was not disclosed and the sale of stolen data is unknown. Potential buyers expressed interest in the listing.
It is possible to be ineffective to change passwords
Neopets sent out a tweet informing users of the breach and recommending that they change their passwords.
The company stated that if you have the same password for multiple websites, you should also change them.
According to moderators on an informal Neopets Discord, however, it may not be enough for users to protect their accounts. The moderators explained that password changes may not be effective if hackers have live access to website databases. They can also see new passwords.
Neopets stated that it was investigating the incident using the assistance of an international cyber-forensics company. It also stated that it had informed the law enforcement about the incident and was taking steps to improve its security.
This type of data breach opens up to the possibility for other cybercrime such as identity theft or phishing. Credential stuffing can be done with user data that has been leaked.
In their efforts to fool victims, cybercriminals have become more sophisticated. Cybercriminals have access to sensitive information such as birth dates, IP addresses, genders, names and birth dates, which allows them to target cyberattacks to impersonate victims and commit fraud.
Check out this article to learn more about the best cybersecurity tools.