Neopets, the virtual pet website has disclosed a data breach. The breach was initially confirmed on July 20th, 2022, on Discord by a Neopets representative after it was reported on a community site. Neopets then tweeted about the event and posted a message on their customer forum as well. A portion of that statement read, “Neopets recently became aware that customer data may have been stolen. We immediately launched an investigation assisted by a leading forensics firm. We are also engaging law enforcement and enhancing the protections for our systems and our user data.” The information that was accessed is already for sale on a criminal forum, with the threat actor claiming to have information such as email addresses and passwords as well as live access to the database. The full scope of the breach is unknown and there is some speculation that payment information may be included also, but that has not been confirmed. Requests for additional information have not been answered by Neopets thus far.
Moving forward with revamping their security measures, Neopets should consider a defense-in-depth strategy. Those within the Neopets community should be vigilant in the coming months as they will likely be targets for those that gain access to the information that was accessed in the breach. Changing passwords is heavily advised, and it is also important the same passwords are not being recycled on other sites; if they are, those should also be changed. While it has not yet been confirmed that payment information was included, Neopets users should also keep an eye on bank and credit card statements for any suspicious activity.