Neopets, an aged website that lets users keep virtual pets and take care of them, just suffered a major data breach. Aside from the personal data of over 69 million users, the hacker was able to obtain the website’s source code.
This isn’t the first time Neopets has faced a massive leak, but this time around, user data is currently being sold for crypto — and the leak includes more than just usernames and passwords.
If you’re of a certain age, you may have heard of Neopets before. The website, launched at the tail-end of 1999, was once much more popular than it is now. Made mostly for children, the platform lets users collect virtual pets, alter their colors and outfits, feed them, and play various mini-games, as well as complete on-site events. According to Google Trends, Neopets peaked in popularity around 2005, but since then, the numbers dwindled and have been at a steady low since 2010.
Even though Neopets is now primarily only played by nostalgic adults, and the website itself suffers from numerous issues, it still accumulated a large userbase over the years. Whether the 69 million accounts that were leaked today were in active use or not is irrelevant — the personal data is still tied to them, and now it’s all in the hands of a hacker who revealed themselves as TarTarX on the Breached hacking forums.
In a post on the forums (shared by BleepingComputer), the hacker lists all of the data they are in possession of, including emails, usernames, and passwords, but also more sensitive data, such as country, state, zip code, gender, and date of birth. The hacker also told BleepingComputer that they have around 460MB of compressed website source code.
The authenticity of the data is yet to be verified, but Neopets itself has acknowledged that a data breach took place and advised its users to change their passwords. Unfortunately, if the words of TarTarX are to be believed, simply changing your password might not make much difference. Why? Because the hacker seems to also have access to the live neopets.com site and database. This was verified by the owner of the Breached.co forum, who registered on Neopets to test the validity of TarTarX’s claims. The hacker received all of the data from the registration, meaning that they will also likely be aware of any potential password changes.
If you think you might have an old Neopets account laying around, chances are that your data was affected by this breach, including your email and password. Even if changing the password on Neopets may not change much right now, it’s still highly advisable that you change any passwords that may be the same or similar to the one you’ve used for your Neopets account. This incident is yet another reminder that it’s important to keep different passwords for each website you sign up with. Leaks happen very frequently — just recently, records of up to 1 billion people have been stolen.
BleepingComputer reports that some users have already had unauthorized access to the Neopets database, but reportedly didn’t use it for monetary gain. The website suffered another breach in 2012 in which the accounts of millions of users were compromised, with the data still floating around on the internet years later.
The website said that it has brought in a professional forensics firm ,as well as law enforcement, to pursue the hacker. Meanwhile, TarTarX requests a payment of 4 Bitcoin for the entirety of the database, which is currently priced at around $92,000.