Lawrence Abrams reports:
Virtual pet website Neopets has suffered a data breach leading to the theft of source code and a database containing the personal information of over 69 million members.
Neopets is a popular website where members can own, raise, and play games with their virtual pets. Neopets recently launched NFTs that will be used as part of an online Metaverse game.
Read more at BleepingComputer.
Note that the data have been up for sale on a popular forum, and Neopets, which confirmed the breach, noted that changing your password may not help just yet if the threat actor still has access to their server (as they appeared to have as of yesterday). But if you used your Neopets login credentials on any other sites, go change those now and then change Neopets after it’s secured.
Previous Breach or Breaches?
When I saw the headlines in my news feeds this morning, my first thought was “Wait, is this old news or new? Didn’t Neopets have a big breach already?”
Well yes, it did…. as back in 2020, I had first read about what sounded like a serious problem on Twitter:
.@Neopets Okay, so I put in a message with your support line like you asked, but I stress the importance of having someone contact me. With the help of @tensor_bodega we pulled everything. We own, everything. This is Critical and urgent.
— John Jackson 桜の侍 (@johnjhacking) December 26, 2020
But it turns out, there was something even before that: a Neopets 2012 database breach that was disclosed in 2016:
Neopets data breach was disclosed in 2016, 4 years after the security incident. The online game website has leaked 70 million account data, including email, password, birthday, and other personal information. Significantly, the website has lots of minors or underage users. It causes extra work to monitor the exposed accounts and minimize the cyber risks exploited by the breach.
Hmmm.