The hacker claimed to have stolen information from the virtual pet site Neopets, which is used by 69 million users of the service. The fact of the hack is also confirmed by messages on the official Neopets accounts on Twitter and Instagram.
The Twitter post said that Neopets “recently became aware of a possible theft of customer data” and hired the company to investigate. Publications in social networks did not contain additional information about the extent of the hack. However, the company recommends that all users of the site change their passwords as a precautionary measure.
Neopets recently became aware that customer data may have been stolen. We immediately launched an investigation assisted by a leading forensics firm. We are also involved in law enforcement and enhancing the protections for our systems and our user data. (1/3)
— neopets (@neopets) July 21, 2022
On Tuesday, a hacker named TarTarX began offering data for sale on a hacker forum. He asked for a price of 4 bitcoins, which is equivalent to about $90.5 thousand. According to the hacker, the database includes usernames, email addresses, passwords, date of birth, zip code, gender and country. Thus, the leak could be used for phishing or other ways to deceive Neopets users.
The hacker’s forum post also claims that they can still access the active version of the Neopets site’s database. This fact was confirmed by the owner of the hacker forum where the data was posted. If this is true, then even the precautions recommended by Neopets will not be enough to protect the user account from unauthorized access.
The Neopets site was launched in 1999 and has often suffered from security issues in recent years, especially after ownership changed from Viacom to JumpStart Games in 2014. In 2016, there was a similar leak of data from tens of millions of users, which were then sold on hacker forums. And in 2020, security researchers discovered that the site’s entire codebase was being sold because of admin credentials that were written directly into code sections discovered by hackers.
Source: The Verge