Data Security: Breach and Leak Report

Neopets 2012 Database Breach

 Search Data Breach Stories
Hot Words
Key Words
In Field


 Tips about Data Breach
 By Jackson WhiteBack to Breach List  
Neopets 2012 Database Breach
1. Overview
Yahoo Email BreachIf you have Neopets (an online gaming platform account before 2012/2013, your personal data may be been trading online. In May 2016, a set of breached data from the virtual pet website Neopets was found on the dark network, which is confirmed by this website leaked as early as May 2012. But some believe the leakage at least lasted till 2013. 27 million unique email addresses and passwords, which were stored in plain text, are the core contents of the breach. Sensitive personal information includes:
  • name
  • email
  • password
  • birthdate
  • gender
  • country
  • IP address
2. Offical Response to Victims
Neopets' victims didn't get positive settlements. The company admitted the breach, but don't take further actions except giving some clarifications and suggestions.

Details: In Facebook of May 06,2016

1.  The leaked data does NOT include credit card or payment information.

2.  The security breach was an incident that occurred in 2012, prior to JumpStart’s acquisition of Neopets.

3.  Lots of leaked accounts are inactive ones.

4.  Plan to implement a password reset for all affected players.

The company seems to care just data of current users safe. But the question is users' emails and birthdays have been leaked no matter active or inactive users, who are victims of the breach.

Yahoo Email Breach
3.1 Total number
No one knows the exact number. But in the 2012's Neopets Database Leak, 68 million users were impacted, and included 27 million unique emails, although it's an unconfirmed estimate. It's the biggest leakage in the Neopian world in quite some years.

3.2 Delay disclosing
The reason why this hadn’t been more widely publicized until May 2016, 4 years later, is that Jumpstart tried to hide it. In fact, it’s only been addressed by the Jumpstart team in an announcement on their official Facebook page. The company may have lots of causes to delay disclosing, but a general rule is the earlier victims know, the less risk they take.

3.3. Inactive users
Neopets and JumpStart emphasized lots of victims are inactive accounts. It's not a smart comment. Any company shouldn't keep inactive users' information, which definitely isn't the right thing even they aren't leaked.

3.4. Future instructions
An interesting thing is that Neopets gives instructions for possible breach in the future:
  • Making a detailed list of all Neofriends, purchases, and transactions.
  • Being cautious on the laborious Request Support page.
  • Ensuring to work with your own account.
4. Others
This breach has 2 special points to notice.

4.1 Public knows it from the dark network
The company Neopets didn't disclose the security incident positively, which was publicly exposed through forums dedicated to trading stolen credentials. Namely, when one of the Neopets’ apparent databases was put up for sale in May 2016, victims started to know the risk. It means cybercriminals have 4 years' time to exploit these data while victims have no warning.

Even after Neopets confirmed the breach, what they did is to keep its users rather than help victims. It never talked about any settlement.

4.2. Underage users
Because Neopets is an online game website, it is possible that the exposed data pertains to millions of minors or underage users. They are more vulnerable to be targeted in phishing, scams, or other attacks than adults. It means we need extra works to monitor the exposed accounts and to teach them awareness in order to minimize the cyber risks exploited with the breach.