Neopets Data Breach Exposes Personal Data Of 69 Million Members

It has been reported that the virtual pet website Neopets has suffered a data breach leading to the theft of source code and a database containing the personal information of over 69 million members. Neopets is a popular website where members can own, raise, and play games with their virtual pets. Neopets recently launched NFTs that will be used as part of an online Metaverse game. On Tuesday, a hacker known as ‘TarTarX’ began selling the source code and database for the website for four bitcoins, worth approximately $94,000 at today’s prices.

Notify of
9 Expert Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Henning.horst , CTO
InfoSec Expert
July 21, 2022 12:33 pm

“If the past few months have taught us anything, it’s that data breaches are a matter of when not if. And any organization that collects and processes data is a potential target. There are many ways by which organizations can mitigate cyber risks, including training staff, cyber audits, and implementing the zero-trust architecture. But the best approach is to deploy more data-centric security measures, such as tokenization and format-preserving encryption. With these data protection methods applied to data as soon as it enters the corporation, that sensitive information becomes unreadable and therefore unusable by threat actors, although business applications and workers can still process and work with the protected data.”

Last edited 19 days ago by henning.horst
Javvad Malik
Javvad Malik , Security Awareness Advocate
InfoSec Expert
July 21, 2022 12:25 pm

“All organisations, regardless of size or industry can be targeted by cyber criminals. We’ve seen toy manufacturers and game developers hit in the past due to the vast amount of personal data they collect.

Such organisations should be mindful of the information they gather and the purpose of it. Holding excessive data means greater liability should a breach occur.

Similarly, we see criminals aggressively targeting NFTs, cryptocurrencies or other components of web 3.0. This is why it’s important for organisations to take into consideration all security requirements before embarking on the journey to implement new technologies.

Any users impacted by the breach should ensure the password they used for Neopets isn’t used elsewhere and if so, change them immediately.”

Last edited 19 days ago by Javvad Malik
Jamie Akhtar
Jamie Akhtar , CEO and Co-founder
InfoSec Expert
July 21, 2022 12:27 pm

“Once again, this story is a perfect illustration of why patching vulnerabilities is the most important thing any business can do to protect itself. While we don’t know the details of the breach, it’s likely that had Neopets carried out regular vulnerability testing and released regular patches to customers this could have been avoided. However, in the meantime, we would echo the advice of Neopets that customers should change their passwords as a matter of urgency. And, avoid using anything too similar to the original, now the hackers have the information it’s very easy for them to try multiple combinations until they gain access to accounts.”

Last edited 19 days ago by Jamie Akhtar
Rebecca.moody , Head of Data Research
InfoSec Expert
July 21, 2022 12:44 pm

Virtual pet website,, has had 69 million user records stolen and placed up for sale on the dark web. According to Comparitech’s online tracker of the biggest breaches, this is the biggest US-based breach for 2022 so far (and only confirmed data breach over 10 million in the US this year). But what’s perhaps more concerning is the potential age range of the users affected with the website being popular among children and teens as well as adults. Data stolen includes names, date of birth, email addresses, zip codes, gender, and more.

Last edited 19 days ago by rebecca.moody
Garret F. Grajek
Garret F. Grajek , CEO
InfoSec Expert
July 22, 2022 1:28 pm

“The fact that NeoPets, a site on no one’s identity hit list, got attacked should be a warning to all companies. The attacks are targets of opportunity. It proves all sites are being scanned. The billions of bots just find a vulnerable website, database or resource and then an exploit is enacted – and the process to exfiltration commences. All sites must practice proper site maintenance and true identity governance to understand which accounts are ready for takeover.”

Last edited 17 days ago by Garret F. Grajek
Ian McShane
Ian McShane , Field CTO
InfoSec Expert
July 22, 2022 1:29 pm

“Another day another breach – the news that Neopets has had its entire user database accessed by hackers proves once again no company is safe, whatever their industry. The attack has led to the data and credentials of over 69 million users being compromised and shared online. What is more alarming is, even if users change their passwords, they still remain at risk as the vulnerability has still not been fixed.

“While the data stolen from the incident is highly valuable, we all know that many people use the same passwords and usernames across many websites, and sometime even use their corporate credentials.

“It would be a nice touch for Viacom, the parent company of Neopets, were to provide the impacted users with a year or two of a password manager subscription like LastPass or 1Password, rather than the usual ‘thoughts and prayers’ approach to helping the affected users.

“That said, while vulnerable emails and passwords can be changed, personal information like IP addresses, birthdays, and country location can’t, exposing users to the risk of identity theft for a long time to come. This should be another wake up call to companies as they no longer have an excuse to take only basic steps to protect users, instead stricter security measures are a must.”

Last edited 17 days ago by Ian McShane
Tim.marley , VP Audit, Risk & Compliance
InfoSec Expert
July 25, 2022 12:15 pm

“Web development

Malicious attacks come in several forms including improperly configured or insufficient access controls, stolen credentials from a power user or administrator, applications allowing web-facing attacks such as cross-site scripting or code injection. Or even something as simple as a system with exploitable operating system or application vulnerabilities due to an insufficient vulnerability scanning and remediation program.

Avoiding incidents such as this requires a systematic approach to assessing and minimizing risk. Unfortunately, there is no “silver bullet” or single answer to prevent this. Activities would include secure coding practices against web application guidelines such as the OWASP top ten, a managed vulnerability scanning and remediation program, security awareness training for all users with an emphasis on those with elevated access, and active and constant monitoring of the network and key systems in the environment.

Application development, particularly web-facing development should always be done with an effort to design security into the process. If we “build in” security from the beginning and adequately test our systems prior to launching any new code or modifying existing code, the likelihood of compromise is significantly lessened. Often, we see organizations rushing solutions out the door with an agile mindset that focuses on making it work over making it work securely. Align the overall information security program with a proven framework and measure your progress on a regular basis.

Sensitive data

The failure to keep our stakeholder’s sensitive data confidential is coming with greater consequences for organizations in the United States. Five states currently have privacy laws and another six have legislation at some stage of review. At the end of the day, we shouldn’t need legislation to force us to examine the sensitive data in our possession and verify that we protect it at every stage of the data lifecycle. We are the custodians of this data and owe it to our customers, clients, partners, and residents to verify that we always manage this information securely. If we fail to do so, we stand to lose their trust and may incur significant financial and operational penalties as a result.

I’m particularly concerned over the potential exposure of sensitive data for children under the age of 13. While this site may not specifically cater to that age group, I believe it’s likely we’ll see a much greater consumption of these services by children. If so, then we may see the FTC investigating under the Children’s Online Privacy Protection Rule (COPPA).”

Last edited 15 days ago by tim.marley
Patrick McBride
Patrick McBride , CMO
InfoSec Expert
July 25, 2022 12:16 pm

“The Neopets team provides sound advice that users should, assuming their passwords for other sites are the same as they use for Neopets, change them. This will help customers avoid account takeovers of their other accounts, at least as a result of the Neopets attack, but there will be others like this. 

By continuing to use passwords to authenticate customers, it is clear that the technology and e-commerce industry is becoming dangerously complicit in the problem of account takeovers. There are secure replacements for passwords that can be implemented today. It’s past the time to act.”

Last edited 15 days ago by Patrick McBride
Michael.varley , Threat Consultant
InfoSec Expert
July 25, 2022 12:18 pm

“In the case of NeoPets, it is being reported that the breach was the result of a general weakness that many websites have. Regular and effective vulnerability scanning of public facing infrastructure and applications can help identify potential vulnerabilities that can be exploited. When vulnerabilities are identified, taking a multi-pronged approach to remediation, whilst patching teams also seek to deploy remediations and/or mitigations across the estate, can vastly improve the time to detection and response in incidents such as these. This could potentially prevent adversary access to sensitive information even after successful exploitation. Threat modelling of public facing infrastructure and applications can allow organisations to identify and profile potential attack vectors ahead of time, allowing security teams to take a proactive, rather than reactive, approach to securing the environment.” 

“Responding to incidents such as these needs a finely tuned balance of speed along with remedial actions. Incident responders should be seeking to validate claims from the threat actor that they have “live” access to the database, that was reportedly confirmed by another user of the initial forum where the leak was posted. From there, responders will work backwards to identify both the point of initial access and any persistence mechanisms the actor may have installed. Once identified, a remediation plan can be created that’ll involve multiple actions occurring simultaneously (or in rapid succession) designed to remove the adversary from the network, deny their access back into the environment, and monitor for any further resurgence in adversary activity.

“Lessons learned after the threat has been eradicated should be viewed by organisations as a way to improve, to build back better and a stark reminder to take the security of their environment, and their customers, very seriously by stopping history from repeating itself.”

Last edited 15 days ago by michael.varley
Information Security Buzz
Would love your thoughts, please comment.x