The rumored Neopets data breach is officially confirmed. A data breach at the virtual pet website Neopets resulted in the theft of source code and a database containing the personal data of over 69 million users.
Popular website Neopets allows users to create, care for, and play games with virtual pets. NFTs, which will be included into an online Metaverse game, were just released by Neopets.
On Tuesday, a hacker using under the alias “TarTarX” started offering the Neopets.com website’s source code and database for four bitcoins, or about $94,000 at the time.
According to BleepingComputer’s report, TarTarX claims that they obtained the database and about 460MB (compressed) of source code for the neopets.com website.
In a screenshot shared by BleepingComputer, you can see that the data includes members’ usernames, names, email addresses, zip codes, dates of birth, gender, countries, an initial registration email, and other site/game-related information. The seller claims that this database contains the account information of over 69 million users.
The hacker did not demand money from Neopets’ owners, Jumpstart, in exchange for access to the website, but that they had heard from people interested in buying the data instead.
The proprietor of the Breached.co hacking site, pompompurin, however, was able to confirm the hacker’s assertions by creating an account on Neopets.com and requesting a copy of their freshly created record from the database. “Vouch, I registered an account on the website and he sent the full entry,” pompompurin wrote in the Breached.co forums.
This verification also demonstrated that TarTarX had access to the neopets.com website even after they started selling the data.
Neopets data breach is officially confirmed
The Neopets team, known by the TNT acronym, stated on the unofficial Neopets Discord channel that they are aware of the security incident and are trying to resolve it after word of the Neopets data breach circulated online.
Changes to your Neopets account password may not help secure it if the attackers still have access to their servers, volunteer Discord moderators have warned. A statement has been made in the Discord server of Neopets:
“We should note that the effectiveness of changing your Neopets password is currently debatable as long as hackers have live access to the database, as they can simply check what your new password is. We cannot therefore strictly advise you on the best course of action given the circumstances.”
Neopets data breach: What should you do?
However, it is strongly encouraged that you change your password on such websites to something different if you use the same Neopets password on other websites.
Members of Neopets can follow a topic to see if there are any official updates from the Neopets team by visiting the Neopets Help Site Jelleyneo or the Jelleyneo Twitter account.
Official statement by @Neopets about the breach uncovered today.
No word on if the vulnerability has been patched or not. No confirmation on safety of Premium/Neocash payment methods (we've been asked about this a lot).
We're hoping to hear more. https://t.co/8odsvI7AgR
— Jellyneo.net (@jellyneo) July 21, 2022
Neopets has already experienced a data breach, with member information from a breach that happened in 2012 making its way online in 2016.
Despite the fact that this Neopets data breach seems to be brand-new, the platform has a history of having systems improperly accessed.
neo_truths, a Reddit member have had “read” access to the database for at least a year as a result of discovering vulnerabilities in the website’s stolen source code, according to BleepingComputer.
neo_truths, however, claimed that they altered the game as an April Fool’s joke by injecting code into a PHP eval() function using someone else’s hack.
Unfortunately, according to neo_truths, there are only a few developers to manage the enormous amount of code that is dispersed over numerous servers. In the past, this staff shortage has resulted in various breaches by numerous individuals, with one actively used exploit being reported to the developers who subsequently rectified it.
“Neo is full of breaches and multiple people had (and maybe still have) access for years. The only difference is they use it privately (mostly for genning and selling offsite) and I try to address some known issues with actual data I have already reported 2 exploits that allowed db access that other people had used (one of them for months/years hard to tell). I could have not found them if I didn’t have access myself.
I could always choose to reveal my own method thus losing access which would be the correct thing, but at the same time that would let the others run free. But yes I understand that from a user perspective its very worrying someone can arbitrarily access their data,” explained neo_truths in a comment on Reddit. Did you hear the latest Roblox hack? Internal documents are stolen!