69 million people are potentially at risk after the popular website Neopets fell victim to a data breach. The website, where users can own virtual pets, trade items, and play games, reportedly had its entire user database stolen.
Neopets confirmed the data breach on Twitter, saying it had called in the police and was working with a “leading forensics firm” to fix the problem.
In a short Twitter thread, Neopets said: “It appears that email addresses and passwords used to access Neopets accounts may have been affected. We strongly recommend that you change your Neopets password. If you use the same password on other websites, we recommend that you also change those passwords.”
While the sentiment of this update makes a password change seem like a “one and done,” this incident appears to be an ongoing breach. If there is indeed a vulnerability that takes some time to fix, Neopets’ data – and users – could remain at risk for some time. Users may need to change their passwords on several occasions until Neopets’ parent company TNT addresses the issue that caused the breach.
A post on Neopets help site Jellyneo states: “As per TNT’s suggestions, we recommend you update your password (via “My Profile”). However, since TNT has not confirmed that the vulnerability has been patched, be prepared to change it again once we get the all clear.”
Jellyneo was also the initial source for information about the hack before Neopets’ confirmation was posted on Twitter. The data reportedly stolen would make it reasonably easy for cybercriminals to commit identity theft and fraud and includes a raft of sensitive information and personal identifiers, including:
- Email addresses
- IP addresses
- Countries of residence
According to reports, the entire database is for sale on the dark web with an asking price of four bitcoin. Supporting fears that this is an ongoing breach, the party selling the database also says they can grant access to the live database at additional cost.
While a Jellyneo update states the site doesn’t believe the breach compromised Neopets’ payment methods, this has yet to be confirmed.