Neopets, a website where people own virtual pets, play games and trade pet-related items, has had its user database stolen.
In a short Twitter thread (opens in new tab), the site confirmed the breach, explaining it has notified the police and brought in a “leading forensics firm” to address the issue.
“It appears that email addresses and passwords used to access Neopets accounts may have been affected. We strongly recommend that you change your Neopets password. If you use the same password on other websites, we recommend that you also change those passwords,” the thread states.
However, this seems to be an ongoing breach, caused by a vulnerability that likely has not yet been patched. As such, users could be asked to change their passwords again, after parent company TNT plugs the security hole.
“As per TNT’s suggestions, we recommend you update your password (via “My Profile”). However, since TNT has not confirmed that the vulnerability has been patched, be prepared to change it again once we get the all clear,” advises a post on Jellyneo (opens in new tab), a popular Neopets help site.
This site was also the one to share more details on the hack. Allegedly, data on more than 69 million users was compromised, including plenty of sensitive and personally identifiable information, such as email addresses, passwords, genders, IP addresses, countries, as well as birthdays – all the ingredients necessary for identity theft (opens in new tab).
The entire database (opens in new tab) has allegedly been put up for sale on the black market, for a total of four bitcoin, which is worth roughly $91,500 at press time. The seller also claims the buyer can get live access to the database, for an extra fee.
TNT is yet to confirm whether the site’s payment methods were compromised. Although Jellyneo says “we don’t believe payment methods were breached”, an official confirmation is missing.