On July 21, Neopets, a website for adopting and raising virtual pets, announced on its website, as well as on Twitter, that it had been hacked. In total, the hacker put up for sale on the dark web the data of 69 million of its users, and the source code of the site was also stolen.
The TarTarX hacker stole the Neopets source code as well as 460 MB of compressed data.
Following this hack, Neopets wanted to inform its users of the situation, pointing out that “customer data may have been stolen.” A few hours later, the punishment came: the data of 69 million Neopets accounts were stolen by the TarTarX hacker, who put them up for sale on the dark web for 4 bitcoins, or about $92,000. He also offered the site’s source code for sale.
US suspects Huawei of spying on US military bases
“We immediately launched an investigation,” the site administrators add. Officials also say they have called law enforcement and are working to strengthen “the protection of our systems and our users’ data.” This will affect the email addresses and passwords used to access Neopets accounts.
Neopets also recommends changing the password for your account, as well as for any account that uses the same password. In addition to this information, the hacker had access to names, addresses, email, country of residence, zip code, date of birth, etc. However, changing the password on Neopets may not be enough, as currently hackers can potentially gain access to the site’s servers and hence steal this new information.
Neopets wouldn’t fix many of the flaws that make it easier to crack
This is not the first time Neopets have been invaded. The site was hacked in 2012, and the stolen data did not appear on the dark web until four years later. According to Bleeping Computer, several users have already mentioned the existence of gaps on the site that allow access to the firm’s database, and this has been for several years. Such is the case with neo_truths, a Reddit user who claims to have read access to that database for at least a year.
For its part, the TarTarX hacker confessed to Bleeping Computer. He says he did not offer a buyout to Jumpstart Games, the company that has owned Neopets since 2014. He says that several people would be interested in paying 4 bitcoins to get the data he stole. When he started selling this data, the hacker said he still had access to the site’s information.
This year 2022 was marked, in particular, by numerous hacks by the North Korean hacker group Lazarus, behind the theft of 500 million euros in Ethereum on the Ronin blockchain, as well as by hacking the Harmony blockchain in order to raise $100 million in resources. However, the American authorities would have been able to take $500,000 from the hackers – little consolation in the face of hundreds of millions of euros stolen.