Cyber Incident Victim: Neopets
Date:
May 2016
Location:
United States of America
Summary
A virtual pets community experienced a large-scale cyberattack resulting in the compromise of tens of millions of user accounts, with a sample dataset confirming the validity of 83% of tested credentials. The breached information included email addresses, gender, country, state, and date of birth, though some records lacked complete fields and no financial or payment data was stored or exposed. The parent company acknowledged the incident involved historical data predating their ownership acquisition, confirming unauthorized access likely through criminal activity. While the exact scale remained unverified, the platform had over 90 million registered users at the time, and impacted credentials posed risks for account reuse across other services.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around May 5, 2016, Neopets, a virtual pet community owned by JumpStart, experienced a significant data breach involving tens of millions of user accounts. The compromised data included usernames, email addresses, and limited personal information such as gender, country, state, and date of birth. Motherboard obtained a sample of 100,000 purported Neopets accounts from criminal underground sources, validating 83 out of 100 randomly selected usernames against active Neopets profiles. Some records lacked email addresses, though the reason for this inconsistency remained unclear. The total number of affected accounts was alleged to exceed 70 million, though this figure could not be independently verified. At the time of the breach, Neopets had over 90 million registered users. JumpStart confirmed the breach but stated the compromised dataset predated their 2014 acquisition of Neopets. No credit card information, physical addresses, or payment details were exposed, as Neopets did not store such data.
JumpStart’s Chief Revenue Officer Jim Czulewicz publicly acknowledged the cyberattack, characterizing it as likely criminal activity. The company committed to notifying all users and advising password resets as a precautionary measure. Czulewicz emphasized that user security was a top priority and reiterated Neopets’ focus on maintaining a safe environment for its community. Motherboard’s outreach to affected account holders included in the sample dataset yielded no responses, though emails successfully reached their destinations. The article initially referenced a prior Neopets security incident but later issued a correction clarifying that the earlier report was satirical and unrelated to factual events. The breach underscored risks associated with password reuse across multiple services, as compromised credentials could facilitate unauthorized access to other platforms. JumpStart’s response focused on mitigating immediate account security risks while downplaying financial exposure due to the absence of stored payment data.