Neopets Revealed That Hackers Had Access to its Systems for 18 Months

Colin Thierry
Colin Thierry Writer
Colin Thierry Colin Thierry Writer

The virtual pet website Neopets released details about the disclosed data breach incident that exposed the personal information of more than 69 million members.

According to its investigation launched on July 20, the company revealed that the threat actors had access to its Neopets IT systems from January 3, 2021 until July 19, 2022.

News of the data breach first broke when a hacker under the alias “TarTarX” posted an ad for anyone interested in purchasing the Neopets database on a dark web marketplace. The hacker offered to sell the entire database and source code for 4 BTC, or $94,000.

This hacker claimed that the stolen data included sensitive personal information like date of birth, country of residence, IPs, gender, names, and emails of around 69 million Neopets users.

The company confirmed the hacker’s claims in an update on Monday, saying, “We have determined that for past and present Neopets players, affected information may include the data provided when registering for or playing Neopets, including name, email address, username, date of birth, gender, IP address, Neopets PIN, hashed password, as well as data about a player’s pet, game play, and other information provided to Neopets.”

“For players that played prior to 2015, the information also could have included non-hashed, but inactive, passwords,” Neopets added.

Neopets’ Response

In response, Neopets took security measures in order to improve its systems’ security and minimize the impact future incidents would have on its users.

The company said that it enhanced network monitoring to detect threats earlier and strengthened the authentication schemes for improved account access protection.

Users’ passwords have also been reset and Neopets is currently working on implementing multi-factor authentication as an extra layer of defense.

Finally, the company’s announcement recommended that all Neopets players change their passwords if they’re re-using them from other online platforms or services.

About the Author

About the Author

Colin Thierry is a former cybersecurity researcher and journalist for SafetyDetectives who has written a wide variety of content for the web over the past 2 years. In his free time, he enjoys spending time outdoors, traveling, watching sports, and playing video games.