Neopets Data Breach Exposes Personal Data Of 69 Million Members

It has been reported that the virtual pet website Neopets has suffered a data breach leading to the theft of source code and a database containing the personal information of over 69 million members. Neopets is a popular website where members can own, raise, and play games with their virtual pets. Neopets recently launched NFTs that will be used as part of an online Metaverse game. On Tuesday, a hacker known as ‘TarTarX’ began selling the source code and database for the Neopets.com website for four bitcoins, worth approximately $94,000 at today’s prices.

Subscribe
Notify of
guest

9 Expert Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Michael.varley
Michael.varley , Threat Consultant
InfoSec Expert
July 25, 2022 12:18 pm

“In the case of NeoPets, it is being reported that the breach was the result of a general weakness that many websites have. Regular and effective vulnerability scanning of public facing infrastructure and applications can help identify potential vulnerabilities that can be exploited. When vulnerabilities are identified, taking a multi-pronged approach to remediation, whilst patching teams also seek to deploy remediations and/or mitigations across the estate, can vastly improve the time to detection and response in incidents such as these. This could potentially prevent adversary access to sensitive information even after successful exploitation. Threat modelling of public facing infrastructure and applications can allow organisations to identify and profile potential attack vectors ahead of time, allowing security teams to take a proactive, rather than reactive, approach to securing the environment.” 

“Responding to incidents such as these needs a finely tuned balance of speed along with remedial actions. Incident responders should be seeking to validate claims from the threat actor that they have “live” access to the database, that was reportedly confirmed by another user of the initial forum where the leak was posted. From there, responders will work backwards to identify both the point of initial access and any persistence mechanisms the actor may have installed. Once identified, a remediation plan can be created that’ll involve multiple actions occurring simultaneously (or in rapid succession) designed to remove the adversary from the network, deny their access back into the environment, and monitor for any further resurgence in adversary activity.

“Lessons learned after the threat has been eradicated should be viewed by organisations as a way to improve, to build back better and a stark reminder to take the security of their environment, and their customers, very seriously by stopping history from repeating itself.”

Last edited 3 months ago by michael.varley
Patrick McBride
Patrick McBride , CMO
InfoSec Expert
July 25, 2022 12:16 pm

“The Neopets team provides sound advice that users should, assuming their passwords for other sites are the same as they use for Neopets, change them. This will help customers avoid account takeovers of their other accounts, at least as a result of the Neopets attack, but there will be others like this. 

By continuing to use passwords to authenticate customers, it is clear that the technology and e-commerce industry is becoming dangerously complicit in the problem of account takeovers. There are secure replacements for passwords that can be implemented today. It’s past the time to act.”

Last edited 3 months ago by Patrick McBride
Tim.marley
Tim.marley , VP Audit, Risk & Compliance
InfoSec Expert
July 25, 2022 12:15 pm

“Web development

Malicious attacks come in several forms including improperly configured or insufficient access controls, stolen credentials from a power user or administrator, applications allowing web-facing attacks such as cross-site scripting or code injection. Or even something as simple as a system with exploitable operating system or application vulnerabilities due to an insufficient vulnerability scanning and remediation program.

Avoiding incidents such as this requires a systematic approach to assessing and minimizing risk. Unfortunately, there is no “silver bullet” or single answer to prevent this. Activities would include secure coding practices against web application guidelines such as the OWASP top ten, a managed vulnerability scanning and remediation program, security awareness training for all users with an emphasis on those with elevated access, and active and constant monitoring of the network and key systems in the environment.

Application development, particularly web-facing development should always be done with an effort to design security into the process. If we “build in” security from the beginning and adequately test our systems prior to launching any new code or modifying existing code, the likelihood of compromise is significantly lessened. Often, we see organizations rushing solutions out the door with an agile mindset that focuses on making it work over making it work securely. Align the overall information security program with a proven framework and measure your progress on a regular basis.

Sensitive data

The failure to keep our stakeholder’s sensitive data confidential is coming with greater consequences for organizations in the United States. Five states currently have privacy laws and another six have legislation at some stage of review. At the end of the day, we shouldn’t need legislation to force us to examine the sensitive data in our possession and verify that we protect it at every stage of the data lifecycle. We are the custodians of this data and owe it to our customers, clients, partners, and residents to verify that we always manage this information securely. If we fail to do so, we stand to lose their trust and may incur significant financial and operational penalties as a result.

I’m particularly concerned over the potential exposure of sensitive data for children under the age of 13. While this site may not specifically cater to that age group, I believe it’s likely we’ll see a much greater consumption of these services by children. If so, then we may see the FTC investigating under the Children’s Online Privacy Protection Rule (COPPA).”

Last edited 3 months ago by tim.marley
Ian McShane
Ian McShane , Field CTO
InfoSec Expert
July 22, 2022 1:29 pm

“Another day another breach – the news that Neopets has had its entire user database accessed by hackers proves once again no company is safe, whatever their industry. The attack has led to the data and credentials of over 69 million users being compromised and shared online. What is more alarming is, even if users change their passwords, they still remain at risk as the vulnerability has still not been fixed.

“While the data stolen from the incident is highly valuable, we all know that many people use the same passwords and usernames across many websites, and sometime even use their corporate credentials.

“It would be a nice touch for Viacom, the parent company of Neopets, were to provide the impacted users with a year or two of a password manager subscription like LastPass or 1Password, rather than the usual ‘thoughts and prayers’ approach to helping the affected users.

“That said, while vulnerable emails and passwords can be changed, personal information like IP addresses, birthdays, and country location can’t, exposing users to the risk of identity theft for a long time to come. This should be another wake up call to companies as they no longer have an excuse to take only basic steps to protect users, instead stricter security measures are a must.”

Last edited 4 months ago by Ian McShane
Garret F. Grajek
Garret F. Grajek , CEO
InfoSec Expert
July 22, 2022 1:28 pm

“The fact that NeoPets, a site on no one’s identity hit list, got attacked should be a warning to all companies. The attacks are targets of opportunity. It proves all sites are being scanned. The billions of bots just find a vulnerable website, database or resource and then an exploit is enacted – and the process to exfiltration commences. All sites must practice proper site maintenance and true identity governance to understand which accounts are ready for takeover.”

Last edited 4 months ago by Garret F. Grajek
Information Security Buzz
9
0
Would love your thoughts, please comment.x
()
x