Neopets, a popular virtual pet-keeping browser game born of the late '90s, has been victim of a data breach. Hackers claiming to be behind the attack say they have personal account info of more than 69 million members, along with a bunch of the site's source code, and are willing to sell the data off for a fee.
The browser game has been wracked with cheaters (opens in new tab) for some time, but this just takes the biscuit. Since the site has begun associating itself with NFTs, it appears to have drawn some unwanted attention. Now, it may have gotten worse, as the company investigates a data breach where customer data may have been taken off its servers. It says usernames and passwords connected to the platform may be affected, but email addresses, Neopets users' ages, genders, countries, birth dates, and even IP addresses are allegedly being auctioned off.
The official Neopets Twitter page has posted a warning to users, with the thread strongly recommending users change their Neopets password, and any accounts that use the same password (we advise you to never use the same password for multiple sites (opens in new tab), anyway).
It also notes that the breach is being looked into by a "leading forensics firm," though no name has been given as to which one.
Neopets recently became aware that customer data may have been stolen. We immediately launched an investigation assisted by a leading forensics firm. We are also engaging law enforcement and enhancing the protections for our systems and our user data. (1/3)July 21, 2022
The data appears to have been put up for sale on popular hacking forum, Breached.co (via Bleeping Computer (opens in new tab)), where one hacker known as TarTarX claims to have live access to the hacked database. For access to a snapshot of the database, the hacker is asking for four bitcoin (approximately $94,500). They note that they are "open to hear offers," and will accept other cryptocurrencies for the data. For an additional fee, they're offering live access to the database.
The validity of TarTarX's claims has apparently been confirmed by the hacking site's owner, pompompurin, who tried creating an account and was promptly sent their data back. What this means is the hacker may well have continued access to the data, so anyone with enough cryptocurrency to blow can allegedly watch people scramble to change their passwords and simply nab them after the fact.
If you head to Neopets' account security page (opens in new tab), it confusingly says that "contrary to what many people claim, no one has ever "hacked into our site" and accessed user information, accounts or usernames. The ONLY means by which a user can have his/her [their, actually] account stolen by someone else is when that user inadvertently or intentionally gives out their account password."
"People like to say they have been hacked, as it makes them feel a little better than admitting they have fallen for a scam, or just simply given away their password to the first person that asked them for it. However, there are a number of things you can do to help keep your account secure."
That statement might be a little out of date now.
After hearing the news, I tried to delete my account through this link (opens in new tab), but my initial attempt was met with the message above. I suspect it's something to do with the volume of people likely deleting their accounts right now.
A second attempt then finally allowed me to delete my account, and I'm sorry to be leaving but, and I suspect plenty of people (particularly parents of younger users) will be following suit.