Neopets virtual pet website suffered a data breach that allowed hackers to access the platform’s source code and personal information of 69 million users.
A threat actor identified as “TarTarX” advertised the sale of the stolen website’s source code and database for four bitcoins, currently amounting to $96,000.
Neopets acknowledged the breach and engaged forensics and law enforcement entities, although the hackers maintained persistence on the website.
Launched in 1999, Neopets is a virtual gaming website that allows members to own, raise, customize, and play with virtual pets while earning Neocash. Members can also buy online merchandise from the website. Additionally, the website intended to convert virtual pet characters into tradable non-fungible tokens (NFTs). However, Neopets’ users slammed the NFT idea, describing it as a “cash grab” and a “red flag.”
Neopets virtual pet website confirms a data breach
“Neopets recently became aware that customer data may have been stolen,” the official Neopets account Tweeted.
“We immediately launched an investigation assisted by a leading forensics firm. We are also engaging law enforcement and enhancing the protections for our systems and our user data.”
Warning that hackers might have accessed email addresses and passwords used to access the Neopets account, the virtual pet website is strongly recommending password change.
“We strongly recommend that you change your Neopets password. If you use the same password on other websites, we recommend that you also change those passwords.”
Sadly, changing passwords might not protect users from the data breach since the attacker still had access to the database while the attack was ongoing.
“What is more alarming is, even if users change their passwords, they still remain at risk as the vulnerability has still not been fixed,” Ian McShane, VP of Strategy at Arctic Wolf, said.
“It would be a nice touch for Neopets’ parent company to provide the impacted users with a year or two of a password manager subscription like LastPass or 1Password, rather than the usual ‘thoughts and prayers’ approach to helping the affected users.”
However, the attackers did not encrypt or demand ransom from the virtual pet website owner. The virtual pet website has not determined the security vulnerability exploited by the attackers.
“Not knowing the source of the breach is very concerning and Neopets must put every resource they have to identify and remediate it,” Lior Yaari, CEO and Co-founder of Grip Security, said.
“Until they know the source of the breach, there is no trust and safety on their platform, and that is a fundamental tenet of online gaming. Beyond just changing passwords, users should remove all personal or financial information until Neopets has resolved the issue.”
Elad Amit, VP of Product Management at PerimeterX noted that the “Neopets data breach is a wake-up call to all online businesses to stop the theft, validation and fraudulent use of account and identity information.” -.
Over 460 GB of source code data was stolen from virtual pet website
According to screenshots shared by Bleeping Computer, the data breach potentially leaked players’ names, gender, dates of birth, usernames, email addresses, IPs, countries, and zip codes.
The hackers also claim to have accessed game credits and in-game pets that the buyer could modify. Additionally, at least 460 MB of compressed source code archives were exfiltrated from the virtual pet website.
The hacker promised to sell the database and source code to a single buyer for the mentioned price or any acceptable offer. However, additional fees would apply for live database access.
Neopets did not disclose whether payment information for premium users was compromised during the virtual pet website data breach. Since the threat actor did not include credit card information as part of the deal, it’s safe to assume that the data breach did not expose any payment information.
While financial information might be safe, hackers could use stolen data for identity theft, social engineering, and credential stuffing attacks.
“Once a valid username and password pair is found, cybercriminals can use the credentials to log into – and take over – legitimate accounts, typically on a number of sites since password reuse is common,’ Amit said. “Since most websites don’t have security checks post-login, attackers are free to navigate through and abuse the account, no questions asked. This abuse could include transferring money, cashing out credits or buying products that are easy to resell.”
Meanwhile, the threat actor has not provided proof of the stolen data but requested the skeptics to seek confirmation from the Breached.co forum administrator ‘pompompurin.’ According to BleepingComputer, the hacking website’s operator confirmed that hackers could still access the live database including new registration details.
Neopets has suffered multiple data breaches since its inception and transfer from Viacom to JumpStart Games in 2014, 2016, and 2020.