Massive Neopets Data Breach Exposes 69M Accounts To Hacker Seeking A Bitcoin Payday

A hacker is attempting to sell what they claim is stolen source code and a database of more than 69 million user accounts from Neopets, a popular virtual pets website that launched all the way back in 1999. The official Neopets account on Twitter has posted a message saying it is investigating the data breach and "strongly" recommends that users change their passwords.

Whether that will do any good is up for debate. A moderator on the Neopets Discord channel says that as long as hackers still have live access to the database, changing passwords is pointless, as they would still be viewable by the culprit(s).

"We cannot therefore strictly advise you on the best course of action given the circumstances," the volunteer moderator wrote.

Neopets tweet on data breach
Nevertheless, the recommendation posted to the official Neopets Twitter account is for all users to change their passwords, as well as for any other sites where they might be using the same one (which is a good security practice regardless). Neopets also promised to provide an update on its investigation when it has more news to share.

In the meantime, users have pointed out that the site's Account Security page is comically (or tragically) in need of an update. At the time of this writing, it still states, "Contrary to what many people claim, no one has ever 'hacked into our site' and accessed user information, accounts, or usernames." It goes on to chastise people who claim they have been hacked, saying they only do so because "it makes them feel a little better than admitting they have fallen for a scam." Yeah, Neopets should probably walk that one back, and soften the aggressive tone, too.

Neopets has not confirmed the full extent of the breach, though a hacker known as TarTarX is taking credit and has listed around 460MB of compressed data for sale on a hacking forum. They claim it contains sensitive account data for over 69 million Neopets users, including usernames, real names, email addresses, ZIP codes, dates of birth, gender, country, initial email registrations, and more.

TarTarX told BleepingComputer that it chose not to ransom the data to Jumpstart, the firm that owns Neopets, and instead is fielding interest from potential buyers. Furthermore, the owner of the forum told the site they were are able to verify the authenticity of the stolen data by registering a Neopets account and then having their details sent to them.

The implication there is that not only is the stolen data likely legitimate, but TarTarX appears to still have access to the breached database, or at least did after posting the data dump for sale. TarTarX's asking price is 4 Bitcoin, which is currently worth $90,580.