Mixed Messages as Neopets Scrambles to Respond to Mega Breach

Tens of millions of users of a popular virtual pet site may have had their data compromised in the first known US mega breach of 2022.

Neopets, which is owned by US giant Viacom, took to Twitter yesterday to confirm the news.

“Neopets recently became aware that customer data may have been stolen. We immediately launched an investigation assisted by a leading forensics firm. We are also engaging law enforcement and enhancing the protections for our systems and our user data,” it said.

“It appears that email addresses and passwords used to access Neopets accounts may have been affected. We strongly recommend that you change your Neopets password. If you use the same password on other websites, we recommend that you also change those passwords.”

However, moderators on the Neopets Discord channel warned that hackers still had access to Neopets systems, so changing passwords now would not work.

“We should note that the effectiveness of changing your Neopets password is currently debatable,” they said. “As long as hackers have live access to the database, they can simply check what your new password is. We cannot therefore strictly advise you on the best course of action given the circumstances.”

They also claimed that more than email addresses and passwords had been stolen.

“A reported 69+ million accounts have been compromised, with the breadth of exposed personal information including passwords, birth dates, genders, names, countries and IP addresses,” they said.

“The leaked information and live database access and full source code are being offered for sale on a third-party website.”

Commentators have been lining up to add their observations on the attack, but without a clear indication on how the threat actor compromised the site, their “lessons learned” statements are mainly just speculation at the moment.

However, Rebecca Moody, head of data research at Comparitech, confirmed that if the figures are correct, it appears to be the biggest US breach of 2022 so far and the only one over 10 million customers.

“What's perhaps more concerning is the potential age range of the users affected with the website being popular among children and teens as well as adults,” she added.

Mike Varley, threat consultant at Adarma, said incident responders at Neopets now have to balance speed with effective remediation.

“Incident responders should be seeking to validate claims from the threat actor that they have ‘live’ access to the database. From there, responders will work backwards to identify both the point of initial access and any persistence mechanisms the actor may have installed,” he argued.

“Once identified, a remediation plan can be created that'll involve multiple actions occurring simultaneously or in rapid succession – designed to remove the adversary from the network, deny their access back into the environment and monitor for any further resurgence in adversary activity.”

What’s Hot on Infosecurity Magazine?