Lock down your Neopets account: Data breach being investigated

Lock down your Neopets account: Data breach being investigated

Bad news for players of long-time virtual pet management title Neopets. Word is spreading of a compromise claimed to have accessed around 69 million user accounts. This compromise, posted to a hacking forum, is said to include both the database and around 460 MB of compressed source code from Neopets.com.

Data claimed to have been taken includes:

  • Usernames
  • Names
  • Email address
  • Date of birth
  • Zip code
  • Date of Birth
  • Gender
  • Country
  • Registration email

Considering the young age of many Neopets players, this would be quite bad from a privacy and safety standpoint, if the breach turns out to be genuine. This wouldn’t be the first time Neopets has experienced a breach situation either. Back in 2014, “tens of millions” of Neopets accounts were said to have been traded on underground forums. The data in question had apparently been compromised prior to the current owners, Jumpstart, acquiring Neopets.

In 2020, there were claims of ways to potentially gain access to user accounts. Neopets also addressed this. Unfortunately, the current owners may now have a whole new incident to deal with.

Is this a genuine compromise?

There is currently no explanation of how the individual claiming to have done this managed to achieve their database swipe. BleepingComputer, who first reported this, has not been able to find independent verification of the breach. References to confirmation from the Neopets team on Discord actually came from volunteer moderators.

Nevertheless, there is some official recognition of something having happened behind the scenes. For example, the official Neopets twitter admits it “recently became aware that customer data may have been stolen” and has engaged the services of a forensics firm:

What does this mean in practice? Well, we won’t know for sure until more information is released. One common occurrence in situations such as these is for large, existing data dumps to be passed off as new. When the data is examined, it often turns out to be lots of old stolen data bundled in with new content. Or it can even be old data across the board! Without proper analysis and comparison to old data, it’s wise to wait and see.

The main thing to note for now is that Neopets has acknowledged something has happened, and is looking into it. In the meantime: what can you do as a Neopets user, or as someone with a child in the house who plays it?

Tips to keep your Neopets account safe

  1. Change your password, as Neopets suggests. Don’t use something you’ve used previously on the Neopets site, or on any other site. This may be time to start looking at a password manager, for added safety. No need to use easily guessed passwords if you can store complex logins inside a management tool instead!
  2. Don’t tell anybody your password, whether they’re other Neopets users, or people on random forums or Discord servers. You won’t receive any free gifts or special in-game items for doing so; you’re just risking losing your account.
  3. Be wary of Neomails phishing attacks, sent your way via the Neopet site’s private message system. The only official communication you’ll receive via Neomail would be from “theneopetsteam”, in the form of warnings.
  4. Watch out for email phishing attempts via the mail you have registered to the site. If this data is truly out there, phishers will almost certainly try their luck. Gaming accounts of any kind are always juicy targets for scammers.

At this point, we’d typically suggest also making use of two-factor authentication to keep your login more secure. Unfortunately, Neopets doesn’t currently offer a way to do this. As a result, it’s even more important that you try and keep your Neopets logins safe with a strong password.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.