The online pet website, Neopets, has confirmed it fell victim to a data breach, exposing the personal information of approximately 69 million users. The website’s source code was also stolen in the attack. Recently, Neopets launched NFTs, which are part of a plan to create an online Metaverse game, in which users can own, raise and play games with their virtual pets.
According to reports, the breach occurred on Tuesday and has since been attributed to a hacker known as ‘TarTaxX’, who began selling the source code and database on the dark web, charing approximately $94,000 in Bitcoin. The hacker has not revealed how they obtained access, however, they have confirmed that the data was not ransomed.
Tim Marley, VP Audit, Risk & Compliance at Cerberus Sentinel told the IT Security Guru that: “The failure to keep our stakeholder’s sensitive data confidential is coming with greater consequences for organizations in the United States. Five states currently have privacy laws and another six have legislation at some stage of review. At the end of the day, we shouldn’t need legislation to force us to examine the sensitive data in our possession and verify that we protect it at every stage of the data lifecycle. We are the custodians of this data and owe it to our customers, clients, partners, and residents to verify that we always manage this information securely. If we fail to do so, we stand to lose their trust and may incur significant financial and operational penalties as a result.”
Neopets members are strongly urged to change their passwords on any site with a similar or the same password as the one they used on the virtual game. Unfortunately, however, changing passwords on the Neopets site is not guaranteed to secure the account if hackers still have access to the servers, which in this instance holds true.
Marley continues: “I’m particularly concerned over the potential exposure of sensitive data for children under the age of 13. While this site may not specifically cater to that age group, I believe it’s likely we’ll see a much greater consumption of these services by children. If so, then we may see the FTC investigating under the Children’s Online Privacy Protection Rule (COPPA).”
Also commenting on the incident is Mike Varley, threat consultant at Adarma: “Responding to incidents such as these needs a finely tuned balance of speed along with remedial actions. Incident responders should be seeking to validate claims from the threat actor that they have “live” access to the database, that was reportedly confirmed by another user of the initial forum where the leak was posted. From there, responders will work backwards to identify both the point of initial access and any persistence mechanisms the actor may have installed. Once identified, a remediation plan can be created that’ll involve multiple actions occurring simultaneously (or in rapid succession) designed to remove the adversary from the network, deny their access back into the environment, and monitor for any further resurgence in adversary activity.
He concluded that “lessons learned after the threat has been eradicated should be viewed by organisations as a way to improve, to build back better and a stark reminder to take the security of their environment, and their customers, very seriously by stopping history from repeating itself.”
According to a reddit user this is not the first data breach affecting the virtual pet world. As such, there is a Twitter account set up, which members can refer to for official updates from staff, and how to proceed if their data has been affected.