Unknown attackers hacked the Neopets website, which was founded back in 1999 and offers the opportunity to have virtual pets, as well as interact, communicate and trade with other users, play mini-games, and so on.
Representatives of Neopets write that an investigation is currently underway into the incident, in which law enforcement agencies and third-party cybercriminalists have already been involved. It is already known that as a result of this attack, the data of 69 million Neopets users “leaked”. In addition, the investigation showed that the attackers had access to Neopets systems for about a year and a half: from January 3, 2021 to July 19, 2022.
Interestingly, the company learned about the hack only after the hackers put up for sale the stolen database, valuing it at four bitcoins. The attackers claimed that the database contained 460 MB of source code, as well as confidential personal data of 69 million users (which the company has now confirmed).
“We have determined that [stolen] information about former and current Neopets players may include data provided when registering with Neopets, including name, email address, username, date of birth, gender, IP address, Neopets PIN , hashed password, as well as data about the player’s pet, gameplay and other information provided by Neopets. For users who played prior to 2015, the information could also include unhashed passwords that are inactive,” reads the official statement.
Representatives of Neopets assure that they have already taken a number of measures to improve security so that such incidents do not happen again in the future. The company also says it has improved monitoring systems to detect possible threats earlier and strengthened authentication mechanisms to better protect account access.
User passwords have been reset and Neopets is now working on implementing multi-factor authentication as an additional layer of security.