Virtual pet website Neopets has been subject to a major security breach that may have comprised 69 million user accounts.
Confirming the breach on Discord, a Neopets representative said the company was “working on” a response. Hours later, the company took to Twitter to address the breach.
“Customer data may have been stolen,” read the first of a three-part tweet. “We immediately launched an investigation assisted by a leading forensics firm. We are also engaging law enforcement and enhancing the protections for our systems and our user data.”
Neopets has advised all users to change their email addresses and passwords, especially if those passwords have been used elsewhere. “As our investigation continues, we will update you as appropriate,” continued the company. “We truly appreciate your understanding and patience at this time.”
News of the breach first broke on Neopets community website JellyNeo after the alleged hacker offered to sell “the complete database and source code.” The source code includes, among other things, personal information for all users and live access to the database that would allow any prospective buyer to modify data, credits, and in-game pets.
At time of writing, it is unclear if credit card information has also been compromised. Users are able to buy the title’s in-game NeoCash currency using their credit card, along with a paid subscription tier that contains premium features such as unlocking dedicated forums and removing ads.
The hacker currently intends to sell the information for the price of four Bitcoin, which converts to about $100,000.
Another Neoday in the life of Neopets
When it launched in November 1999, Neopets‘ claim to fame was allowing users to create their own virtual pets and take care of them, similar to Tamagotchis. Like other online communities, it has themed events around real world holidays in addition to its own economy and interactive storylines. The game also served as a gateway into game development for several developers, including Fullbright’s Nina Freeman.
This marks the second time in recent years that Neopets has been hacked. In 2016, tens of millions of accounts were compromised resulting in the distribution of sensitive user information. Some Neopets users, however, also used that information for their own ends, stealing in-game Neopoints and ultra-rare pets from other players.
Educational games publisher JumpStart Games acquired Neopets in 2014. JumpStart itself was then acquired by Chinese online operator NetDragon in 2017. Last year, the Neopets community criticized JumpStart for allowing Metaverse NFTs.