2 min

Tags in this article

, ,

Neopets confirmed that one or more attackers recently broke into the company’s database. According to an anonymous tip, the personal data of 69 million users is available for four bitcoin.

Neopets is a browser game. Its founder started in 1999 and sold the company to Viacom for $160 million in 2005. The game lost its popularity over the years, but remains active to this day. The current owner is NetDragon, a Chinese organization.

On 21 July, the Neopets team announced that customers’ data “may” have been stolen. Shortly after, a second update specified the data as “e-mail addresses and passwords of accounts”. The problem seems bigger than thought.

“We immediately launched an investigation assisted by a leading forensics firm”, the team said. “We are also engaging law enforcement and enhancing the protections for our systems and our user data.”

69 million accounts

Neopets didn’t confirm the extent of the breach, but fan site Jellyneo has an idea. An anonymous source tipped that the details of 69 million accounts are for sale on the dark web. According to the fansite, the data and Neopets’ source code are available for four bitcoin (approximately €94,000).

The fansite adds that the seller peddles real-time access to the database for an additional fee. This implies the database remains exposed, rendering password changes useless.

Not the first

There’s reason to believe the anonymous source. Neopets faced several attacks in the past. In 2020, security researcher John Jackson discovered cybercriminals trading database access credentials on the dark web. Jackson identified that the credentials were hard-coded in Neopets’ website. Any serious hacker had access.

We don’t expect the most recent attacker to find a buyer. In 2016, Neopets confirmed a data breach affecting 27 million users. According to website HaveIbeenPwned, the breach occurred as early as 2013. The same data may turn up in the latest breach.

When Jackson examined Neopets’ infrastructure in 2020, the website ran on a dated Apache web server. A misconfiguration made it possible to steal login data. Neopets responded with the promise of improving security. “User data and the security of our site are extremely important to us”, said JumpStart, the former parent company. Actions, however, speak louder than words.

Tip: Avaya employee sells stolen licenses worth €87 million