The virtual pet website Neopets released details about the disclosed data breach incident that exposed the personal information of more than 69 million members.
According to its investigation launched on July 20, the company revealed that the threat actors had access to its Neopets IT systems from January 3, 2021 until July 19, 2022.
News of the data breach first broke when a hacker under the alias “TarTarX” posted an ad for anyone interested in purchasing the Neopets database on a dark web marketplace. The hacker offered to sell the entire database and source code for 4 BTC, or $94,000.
This hacker claimed that the stolen data included sensitive personal information like date of birth, country of residence, IPs, gender, names, and emails of around 69 million Neopets users.
The company confirmed the hacker’s claims in an update on Monday, saying, “We have determined that for past and present Neopets players, affected information may include the data provided when registering for or playing Neopets, including name, email address, username, date of birth, gender, IP address, Neopets PIN, hashed password, as well as data about a player’s pet, game play, and other information provided to Neopets.”
“For players that played prior to 2015, the information also could have included non-hashed, but inactive, passwords,” Neopets added.
Neopets’ Response
In response, Neopets took security measures in order to improve its systems’ security and minimize the impact future incidents would have on its users.
The company said that it enhanced network monitoring to detect threats earlier and strengthened the authentication schemes for improved account access protection.
Users’ passwords have also been reset and Neopets is currently working on implementing multi-factor authentication as an extra layer of defense.
Finally, the company’s announcement recommended that all Neopets players change their passwords if they’re re-using them from other online platforms or services.