Tech

Another Day, Another Hack: Tens of Millions of Neopets Accounts

Quite literally, every day someone gets hacked. Whether that’s a telecommunications company having its customer data stolen, or another chain of businesses being ripped for all the credit cards it processes, today one hack just seems to melt into another.

In our series Another Day, Another Hack, we do short posts giving you what you need to know about the hack, so you can figure out whether your bank account, website logins or anything else might be at risk. Because, even if the hack might not be the most sophisticated, real people are still getting fucked over somewhere, and should know about it.

Videos by VICE

Tens of millions of user accounts from virtual pets community Neopets have allegedly been hacked and traded on the criminal underground.

Neopets, owned by games company JumpStart, is a website that allows players to care for digital “pets,” and buy items for them with virtual currency. Users signup with an email address, and provide a limited amount of personal information, such as their gender, country, state, and date of birth.

Motherboard obtained a sample of 100,000 apparent Neopet user accounts. Out of 100 randomly selected usernames, 83 corresponded to ones on Neopets. No apparent victims included in the Neopets breach responded to requests for comment, although the emails did deliver successfully.

Not all of the records contained every piece of information. For example, some accounts did not seem to include an email address. Why this was the case is unclear.

“After investigating the sample dataset of 100,000 records you forwarded, we have determined that the dataset was dated several years ago, prior to our Neopets acquisition,” Jim Czulewicz, chief revenue officer for JumpStart told Motherboard in an emailed statement. JumpStart acquired Neopets in 2014.

“Regardless, Neopets and our customers were the victim of a cyberattack and likely criminal activity. We plan to notify all users about the incident and advise them to reset their password. The security of our users’ personal information has always been a top priority for our company,” Czulewicz continued.

“It is important to note that no credit card or physical address information was included in the dataset and Neopets does not store any customer credit card or other payment information, so that specific data is not at risk of ever being compromised. Our brand is about creating joy and entertainment in the lives of our users and we are committed to always ensuring that experience is delivered in a secure, safe environment,” he added.

The number of records hacked allegedly totaled over 70 million, but Motherboard was unable to confirm this. At the time of writing, Neopets has in excess of 90 million users.

The lesson: As Czulewicz recommended, any Neopets users, even if they no longer play on the site, should change their password. With the information in the dump, a hacker could potentially access other services if they are protected with the same password.

Correction: In a previous version of this article, we said that this seemingly wasn’t the only time that Neopets had been the target of hackers. The report we referenced for that claim, however, was a piece of satire. We regret the error.