More than 69 million Neopets accounts may be compromised after a major data breach was revealed Wednesday. A Neopets representative initially confirmed via Discord that the company is aware of the breach and “actively working on it.” Hours later, a Neopets representative published a statement on the site’s forum and on Twitter addressing the breach.
“Neopets recently became aware that customer data may have been stolen,” it tweeted. “We immediately launched an investigation assisted by a leading forensics firm. We are also engaging law enforcement and enhancing the protections for our systems and our user data.”
Neopets recently became aware that customer data may have been stolen. We immediately launched an investigation assisted by a leading forensics firm. We are also engaging law enforcement and enhancing the protections for our systems and our user data. (1/3)— neopets (@Neopets) July 21, 2022
Neopets community website JellyNeo reported the breach Wednesday after the reported hacker offered to sell the “complete database and source code,” which includes emails, passwords, and other personal information, as well as live access to the database where a buyer can “modify data, credits or in-game pets,” on a data breach forum. The hacker listed the data for a price of 4 bitcoin, or roughly $100,000. The Neopets team confirmed that email addresses and passwords have been compromised, and advised that players change their passwords on Neopets and elsewhere. It didn’t, however, mention the scope of the breach.
Neopets does offer a paid subscription tier which removes ads and unlocks dedicated forums and some premium features. Players can also purchase NeoCash to spend in the NC Mall on various Neopets items to use on the website. It’s unclear if user credit card information is stored within Neopets’ database or if it was also compromised in the breach. The company has not responded to Polygon’s request for more information.
Neopets is the virtual, create-a-pet website that you likely remember fondly from your youth. It’s currently owned by JumpStart Games, which acquired the site in 2014. JumpStart, for its part, was acquired by NetDragon in 2017. JumpStart was criticized in 2021 after it announced the Neopets Metaverse Collection of NFTs — users were furious. Still, Neopets has an active and dedicated player base, despite some questionable decisions and the site’s slow transition into the future; Neopets was once perpetually broken after Adobe ended Flash support in 2020, taking tons of features offline. The site’s been transitioning into HTML-5 and works a lot better, but now the major flaw seems to be security.
Neopets players are upset and worried about the hack, posting across Neopets forums, Reddit, and Facebook. Some players vow to stop playing the game, while others joke about finally being able to get into lost accounts.
Though the site has a passionate player base, the relationship is sometimes adversarial; the transition from Adobe Flash to HTML-5 was a big pain point. This isn’t the first time Neopets has been hacked, either: In 2016, tens of millions of accounts were compromised. The information was widely distributed, likely used to break into other services with reused passwords. But Neopets players used the information to steal from each other, too — whether that was Neopoints, the virtual currency, or ultra-rare pets themselves.
Though rare pets do have a real-money value on the Neopets black market, the real risk of the breach is not a stolen pet. The value for hackers in the data stolen this week is the sheer amount of personal information available; players who reuse passwords are particularly vulnerable in having other, more sensitive accounts breached.