The Hackers Who Breached Neopets Were Inside Its IT Systems for 18 Months

New details about a massive data breach affecting the digital pet company shows that the hacker had long-term access to its network and user data.

We may earn a commission from links on this page.
Image for article titled The Hackers Who Breached Neopets Were Inside Its IT Systems for 18 Months
Screenshot: Lucas Ropek/Neopets

Neopets, the company that sells virtual pets to tweenagers (and also a weird amount of adults), suffered a pretty devastating data breach earlier this year, but a recent update seems to show it was far worse than we previously thought.

In July, the company announced that it had been hacked and that data on its members—believed to be about 69 million people—had potentially been accessed. This week, the company divulged new details about the incident, revealing that, among other things, the cybercriminals were able to linger inside its corporate IT systems for about 18 months.

An update published Monday shows that, from January 3, 2021 until July 19, 2022, the cybercriminals had access to member user data. What kind of data? It would appear to be pretty much everything. The update reads:

After our investigation, we have determined that for past and present Neopets players, affected information may include the data provided when registering for or playing Neopets, including name, email address, username, date of birth, gender, IP address, Neopets PIN, hashed password, as well as data about a player’s pet, game play, and other information provided to Neopets. For players that played prior to 2015, the information also could have included non-hashed, but inactive, passwords.


Shoot, a fella could have quite a weekend in Vegas with all that stuff. Cybercriminals pretty much live for this kind of data trove—the kind that gives them a direct road map to identity theft or the ammo necessary to conduct highly accurate spear phishing trips.

Probably the worst thing about all this is that the alleged culprit behind the incident, a pseudonymous hacker by the name of “TarTarX,” was witnessed attempting to sell off the data way back in July. BleepingComputer originally reported that the hacker was seen advertising the data haul for the asking price of four bitcoin (approximately $94,000). It’s unclear whether anybody ever took them up on that offer.


What is Neopets doing to keep its users safe after this whole debacle? In its update, the company offered the following:

“Neopets is committed to safeguarding our players’ personal information. As part of our ongoing commitment to the safety and privacy of the Neopets’ player information in our care, we have reset players’ passwords and are working on adding multi-factor authentication to better safeguard your account access.”


Neopets also recommended remaining “vigilant against threats of identity theft or fraud” and offered resources to obtain a free credit report and other precautions.

Aside from this data breach, the second worst thing to happen to Neopets lately is its full-on transmogrification into a crypto-fueled Metaverse experience. Last September, the company launched an NFT collection, allowing users to buy or trade digital assets of their favorite pets. Since then, the company has been hustling to manifest its Web3 destiny: just this past Friday, it announced the launch of its free-to-play Metaverse game. In it, you can pet and groom your plushie, explore Neopia, and, of course, participate in “staking and GameFi activities.” Hopefully, they manage to protect your crypto better than they did your personal information.