If you have Neopets (an online gaming platform neopets.com) account before 2012/2013, your personal data may be been trading online. In May 2016, a set of breached data from the virtual pet website Neopets was found on the dark network, which is confirmed by this website leaked as early as May 2012. But some believe the leakage at least lasted till 2013. 27 million unique email addresses and passwords, which were stored in plain text, are the core contents of the breach. Sensitive personal information includes:

• name
• email
• password
• birthdate
• gender
• country
• IP address

Neopets' victims didn't get positive settlements. The company admitted the breach, but don't take further actions except giving some clarifications and suggestions.

Details: In Facebook of May 06,2016

1.  The leaked data does NOT include credit card or payment information.

2.  The security breach was an incident that occurred in 2012, prior to JumpStart’s acquisition of Neopets.

3.  Lots of leaked accounts are inactive ones.

4.  Plan to implement a password reset for all affected players.

The company seems to care just data of current users safe. But the question is users' emails and birthdays have been leaked no matter active or inactive users, who are victims of the breach.

No one knows the exact number. But in the 2012's Neopets Database Leak, 68 million users were impacted, and included 27 million unique emails, although it's an unconfirmed estimate. It's the biggest leakage in the Neopian world in quite some years.

The reason why this hadn’t been more widely publicized until May 2016, 4 years later, is that Jumpstart tried to hide it. In fact, it’s only been addressed by the Jumpstart team in an announcement on their official Facebook page. The company may have lots of causes to delay disclosing, but a general rule is the earlier victims know, the less risk they take.

Neopets and JumpStart emphasized lots of victims are inactive accounts. It's not a smart comment. Any company shouldn't keep inactive users' information, which definitely isn't the right thing even they aren't leaked.

An interesting thing is that Neopets gives instructions for possible breach in the future:

• Making a detailed list of all Neofriends, purchases, and transactions.
• Being cautious on the laborious Request Support page.
• Ensuring to work with your own account.

This breach has 2 special points to notice.

The company Neopets didn't disclose the security incident positively, which was publicly exposed through forums dedicated to trading stolen credentials. Namely, when one of the Neopets’ apparent databases was put up for sale in May 2016, victims started to know the risk. It means cybercriminals have 4 years' time to exploit these data while victims have no warning.

Even after Neopets confirmed the breach, what they did is to keep its users rather than help victims. It never talked about any settlement.