Skip to main content

Personal data of 69 million Neopets users is now up for sale after a data breach

Neopets, an aged website that lets users keep virtual pets and take care of them, just suffered a major data breach. Aside from the personal data of over 69 million users, the hacker was able to obtain the website’s source code.

This isn’t the first time Neopets has faced a massive leak, but this time around, user data is currently being sold for crypto — and the leak includes more than just usernames and passwords.

Neopets hack forum post.

If you’re of a certain age, you may have heard of Neopets before. The website, launched at the tail-end of 1999, was once much more popular than it is now. Made mostly for children, the platform lets users collect virtual pets, alter their colors and outfits, feed them, and play various mini-games, as well as complete on-site events. According to Google Trends, Neopets peaked in popularity around 2005, but since then, the numbers dwindled and have been at a steady low since 2010.

Even though Neopets is now primarily only played by nostalgic adults, and the website itself suffers from numerous issues, it still accumulated a large userbase over the years. Whether the 69 million accounts that were leaked today were in active use or not is irrelevant — the personal data is still tied to them, and now it’s all in the hands of a hacker who revealed themselves as TarTarX on the Breached hacking forums.

In a post on the forums (shared by BleepingComputer), the hacker lists all of the data they are in possession of, including emails, usernames, and passwords, but also more sensitive data, such as country, state, zip code, gender, and date of birth. The hacker also told BleepingComputer that they have around 460MB of compressed website source code.

The authenticity of the data is yet to be verified, but Neopets itself has acknowledged that a data breach took place and advised its users to change their passwords. Unfortunately, if the words of TarTarX are to be believed, simply changing your password might not make much difference. Why? Because the hacker seems to also have access to the live site and database. This was verified by the owner of the forum, who registered on Neopets to test the validity of TarTarX’s claims. The hacker received all of the data from the registration, meaning that they will also likely be aware of any potential password changes.

Neopets logo and several pets.

If you think you might have an old Neopets account laying around, chances are that your data was affected by this breach, including your email and password. Even if changing the password on Neopets may not change much right now, it’s still highly advisable that you change any passwords that may be the same or similar to the one you’ve used for your Neopets account. This incident is yet another reminder that it’s important to keep different passwords for each website you sign up with. Leaks happen very frequently — just recently, records of up to 1 billion people have been stolen.

BleepingComputer reports that some users have already had unauthorized access to the Neopets database, but reportedly didn’t use it for monetary gain. The website suffered another breach in 2012 in which the accounts of millions of users were compromised, with the data still floating around on the internet years later.

The website said that it has brought in a professional forensics firm ,as well as law enforcement, to pursue the hacker. Meanwhile, TarTarX requests a payment of 4 Bitcoin for the entirety of the database, which is currently priced at around $92,000.

Editors' Recommendations

Monica J. White
Monica is a UK-based freelance writer and self-proclaimed geek. A firm believer in the "PC building is just like expensive…
This vaccine passport app data breach is a cautionary tale
Man frustrated at computer.

A security blunder by proof-of-vaccination app Portpass provides a reminder that third-party apps may not protect your privacy and security. According to CBC News, Portpass exposed potentially hundreds of thousands of users’ personal information on its unsecured website.

After receiving a tip that the user profiles on the app’s website were accessible by members of the public, CBC verified the claim. While on the website, CBC was able to see users’ personal information, email addresses, blood types, birthdays, phone numbers, and photo identification, including driver’s licenses and passports.

Read more
T-Mobile investigating claims of massive hack involving customer data
T-Mobile storefront with corporate signage.

T-Mobile says it’s investigating claims of a major data breach that may affect as many as 100 million of its customers.

A message spotted on an underground forum on Sunday, August 15, came from someone claiming to be in possession of personal data belonging to 100 million people. The message made no mention of T-Mobile, but when the poster was contacted by news site Motherboard, it became apparent that the mobile company's customers were at the center of the alleged hack. The figure of 100 million would be remarkable as it's almost equal to T-Mobile's entire customer base.

Read more
T-Mobile reveals it ended 2020 with data a breach
The T-Mobile logo on a smartphone.

T-Mobile’s new year is not off to the greatest of starts after the carrier revealed details of a security breach affecting some of its customers.

A message on T-Mobile’s website says that a recently identified security incident may have allowed hackers to steal customer data such as phone numbers, number of lines subscribed to on an account, and call-related information collected as part of the normal operation of its wireless service.

Read more