Update 4:43pm: Today Neopets has also been experiencing downtime across the site. First reported downtime was around 6am NST. From there it appears to have been rolling online and offline 404 errors since.
Neopets addressed this at 8am NST on their social media accounts:
Today Neopets has issued an update on the Data Breach that occurred at the start of August.
This has been sent to users via an Email newsletter as well as shared across social media accounts.
The main point to take away is the below, what data was actually accessed and the period it appears it was accessed:
“After our investigation, we have determined that for past and present Neopets players, affected information may include the data provided when registering for or playing Neopets, including name, email address, username, date of birth, gender, IP address, Neopets PIN, hashed password, as well as data about a player’s pet, game play, and other information provided to Neopets. For players that played prior to 2015, the information also could have included non-hashed, but inactive, passwords. This information appears to have been accessed and potentially downloaded between January 3-February 5, 2021, or July 16-19, 2022.
We do not store users’ government issued identification numbers, bank account information, or payment card information.”
I’m terms of what Neopets are now doing to prevent this from happening again.. well we all know the saga surrounding the current Stack Patch Captcha screens which are essentially banning Neopians… However more info is below:
“What We Are Doing
Neopets is committed to safeguarding our players’ personal information. As part of our ongoing commitment to the safety and privacy of the Neopets’ player information in our care, we have reset players’ passwords and are working on adding multi-factor authentication to better safeguard your account access. We have also enhanced the protection of our systems, including by further strengthening our network monitoring, authentication, and system protection.”
You can read the full statement at the link below:
Not really much of an update here overall, but encouraging that it is clear that no banking or payment information was breached as it isn’t stored on the site. Also important to point out is that passwords are indeed hashed after 2015. Meaning that at the time of the breach passwords are put through an algorithm leading to a string of characters that cover the actual password. Hackers can indeed in some cases decrypt this, but it is good to know that the passwords weren’t stored in plain text… that’s one thing.
In regards to some of the proposed safeguards they are working on such as multi-factor authentication, should have been implemented years ago. It is a shame it’s taken an event such as this for them only to now to look to implement it..
Are you satisfied with how this has been handled? Let us know your thoughts.