Neopets 2012 Database Breach

Breach and Leak Report: Neopets data breach was disclosed in 2016, and the online game website has leaked 70 million around account data, especially email and birthday of minors or underage users.

 Learn how to check breach in 5 minutes
 Tips about Data Breach
 By Jackson WhiteBack to Breach List  
Neopets 2012 Database Breach
1. Overview
Yahoo Email BreachNeopets data breach was disclosed in 2016, 4 years after the security incident. The online game website has leaked 70 million account data, including email, password, birthday, and other personal information. Significantly, the website has lots of minors or underage users. It causes extra work to monitor the exposed accounts and minimize the cyber risks exploited by the breach.

If you have a NeopetsĀ (an online gaming platform account before 2012/2013, your data may have traded online. In May 2016, a set of breached data from the virtual pet website Neopets was found on the dark network, which is confirmed by this website leaked as early as May 2012. But some believe the leakage at least lasted till 2013. 27 million unique email addresses and passwords, which were stored in plain text, are the core contents of the breach. Sensitive personal information includes:
  • name
  • email
  • password
  • birthdate
  • gender
  • country
  • IP address
2. Offical Response to Victims
Neopets' victims didn't get positive settlements. The company admitted the breach but didn't take further actions except giving some clarifications and suggestions.

Details: In Facebook of May 06,2016

1.  The leaked data does NOT include credit card or payment information.

2.  The security breach was an incident that occurred in 2012 before JumpStart acquired Neopets.

3.  Lots of leaked accounts are inactive ones.

4.  Plan to implement a password reset for all affected players.

The company seems to care just the data of current users safe. But the question is users' emails and birthdays have been leaked no matter active or inactive users are victims of the breach.

Yahoo Email Breach
3.1 Total number
No one knows the exact number. But in the 2012's Neopets Database Leak, 68 million users were impacted and included 27 million unique emails, although it's an unconfirmed estimate. It's the most extensive leakage in the Neopian world in quite some years.

3.2 Delay disclosing
The reason why this hadn't been more widely publicized until May 2016, 4 years later, is that Jumpstart tried to hide it. It's only been addressed by the Jumpstart team in an announcement on their official Facebook page. The company may have many causes to delay disclosing, but a general rule is that the earlier victims know, the less risk they take.

3.3. Inactive users
Neopets and JumpStart emphasized lots of victims are inactive accounts. It's not an intelligent comment. Any company shouldn't keep inactive users' information, which isn't the right thing even if it isn't leaked.

3.4. Future instructions
The interesting thing is that Neopets gives instructions for possible breaches in the future:
  • Make a detailed list of all Neofriends, purchases, and transactions.
  • Be cautious on the laborious Request Support page.
  • Ensure to work with your account.
4. Others
This breach has two particular points to notice.

4.1 Public knows it from the dark network
Neopets didn't disclose the security incident positively, which was publicly exposed through forums dedicated to trading stolen credentials. Namely, when one of the Neopets' apparent databases was put up for sale in May 2016, victims started to know the risk. It means cybercriminals have four years to exploit these data while victims have no warning.

Even after Neopets confirmed the breach, they kept its users rather than help victims. It never talked about any settlement.

4.2. Underage users
Because Neopets is an online game website, the exposed data may pertain to millions of minors or underage users. They are more vulnerable to phishing, scams, or other attacks than adults. It means we need extra work to monitor the exposed accounts and teach them awareness to minimize the cyber risks exploited with the breach.