Cyber Incident Victim: Neopets
Date:
Jul 2022
Location:
United States of America
Summary
A virtual pet website suffered a data breach resulting in the theft of source code and a database containing personal information of over 69 million members, including usernames, email addresses, birth dates, and other registration details. The threat actor offered the stolen data for sale while maintaining continued access to the platform, with third-party verification confirming the breach's validity through newly created account records. Historical security issues were highlighted, including prior unauthorized database access by unrelated parties exploiting vulnerabilities in the site's infrastructure. The company acknowledged potential data compromise, initiated an investigation with external experts and law enforcement, and advised password resets. The breach was attributed to a general website exploit unrelated to the platform's specific codebase.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around July 19, 2022, Neopets suffered a data breach resulting in the theft of its website source code and a database containing personal information of approximately 69 million members. A threat actor using the alias 'TarTarX' advertised the stolen data for sale on July 20, 2022, demanding four bitcoins (approximately $94,000) for the compressed 460MB source code and member database. The compromised information included usernames, names, email addresses, zip codes, dates of birth, genders, countries, initial registration emails, and game-related details. TarTarX claimed to have maintained access to Neopets' systems during the sale period and stated they did not attempt to ransom the data to Jumpstart, the site's owner. Verification of the breach occurred when Breached.co forum owner 'pompompurin' registered a new Neopets account and received their full database entry from the hacker, confirming both the breach's validity and ongoing system access.
Neopets acknowledged the incident through a Twitter statement, confirming an investigation assisted by a forensics firm and coordination with law enforcement. The company urged users to change passwords, particularly if reused elsewhere, while noting email addresses and passwords were potentially compromised. This breach followed prior security incidents, including a 2012 breach that surfaced in 2016. Independent analysis by Reddit user 'neo_truths' revealed long-standing vulnerabilities, with the user claiming read-only database access for at least a year prior through exploits in legacy source code. neo_truths reported fixing two database access exploits used by other threat actors but clarified the 2022 breach stemmed from a general website vulnerability unrelated to Neopets-specific code. The compromised infrastructure reportedly suffered from understaffing and architectural complexity, with multiple historical breaches attributed to limited developer resources. Jumpstart did not initially respond to media inquiries regarding the incident timeline or mitigation specifics.