Virtual pet website Neopets has suffered from a data breach leading to the theft of a database and source codes containing the sensitive information of over 69 million members.
The Neopets website allows members to own, raise, and play games with their virtual pets. The popular website recently launched NFTs that will be used as part of an online Metaverse game.
Earlier this week, a hacker using the name ‘TarTarX’ began selling the source code and database for the Neopets.com website for four bitcoins, with an approximate worth of $94,000 in today’s money.
TarTarX told BleepingComputer that they stole the database and approximately 460MB (compressed) of source code for the neopets.com website.
The hacker claims that this database contains the account information of over 69 million members, including email addresses, zip codes, and names, among other data.
The hacker also told BleepingComputer that they did not ransom the data to the owners of Neopets, Jumpstart, but have received interest from potential external buyers.
The authenticity of the database has not been independently verified yet. Pompompurin, the owner of the Breached.co hacking forum, verified the hacker’s claims by registering an account on the website and was then sent their newly created record from the database.
Pompompurin posted on the Breached.co forum: “Vouch, I registered an account on the website and he sent the full entry.”
This shows that TarTarX continued to have access to the site even as the data had begun being sold off.
The Neopets team confirmed on the unofficial Neopets Discord server that they are aware of the security incident and were working on resolving it.
“We should note that the effectiveness of changing your Neopets password is currently debatable as long as hackers have live access to the database, as they can simply check what your new password is.”
“We cannot therefore strictly advise you on the best course of action given the circumstances.”
However, if you use the same Neopets password on other sites, you are advised to change your password on other sites to new ones.