Neopets has suffered a serious data breach, resulting in personal information such as email addresses and passwords from over 69m accounts being leaked.
Users are now being urged to change their password for Neopets and any sites that use their Neopets password.
On Wednesday, community site Jellyneo revealed that Neopets is actively being hacked.
With help from an anonymous tip, they discovered the database and source code for Neopets was being sold on a hacker website. The seller was offering this access to buyers for 4 Bitcoin, which at the time of the breach was revealed was worth around $94,500.
Will update once TNT posts an update confirming that this access has been closed.
— Jellyneo.net (@jellyneo) July 20, 2022
For an additional fee, the seller was offering live access to the database, meaning that even if users changed their password, their information would still be available on the black market.
Neopets support team TNT issued a statement a few hours after the hack was publicised by Jellyneo, stating its acknowledgement of the issue in which “customer data may have been stolen”. The team further stated it was investigating the hack fully and had contacted a forensics firm and law enforcement to aid the investigation. In the meantime, TNT asked users to change their password.
Neopets recently became aware that customer data may have been stolen. We immediately launched an investigation assisted by a leading forensics firm. We are also engaging law enforcement and enhancing the protections for our systems and our user data. (1/3)
— neopets (@Neopets) July 21, 2022
Payment methods are not thought to be at risk, but TNT is yet to respond to this question which is a point of concern for many of its users.
The Neopets website received an update early this morning, which repeats the previous statement from TNT to ensure users are aware of the ongoing matter.
At time of writing, there have been no further updates from TNT on whether financial information is at risk, the source of the hack, or whether the security flaw that allowed external access has been patched.
As of today, there have been no further updates by @Neopets regarding the breach and whether it has been patched yet or not.
If you’re just tuning in, the best thing you can do right now is make sure any *other* sites you share passwords with are updated with unique passwords. https://t.co/WeThcX6qjn
— Jellyneo.net (@jellyneo) July 22, 2022
Users should change any passwords for sites which shared their Neopets password whilst the vulnerability is still unconfirmed to have been fixed.