Neopets 2012 Database Breach

Neopets data breach was disclosed in 2016, 4 years after the security incident. The online game website has leaked 70 million account data, including email, password, birthday, and other personal information. Significantly, the website has lots of minors or underage users. It causes extra work to monitor the exposed accounts and minimize the cyber risks exploited by the breach.

If you have a Neopets (an online gaming platform neopets.com) account before 2012/2013, your data may have traded online. In May 2016, a set of breached data from the virtual pet website Neopets was found on the dark network, which is confirmed by this website leaked as early as May 2012. But some believe the leakage at least lasted till 2013. 27 million unique email addresses and passwords, which were stored in plain text, are the core contents of the breach. Sensitive personal information includes:

• name
• email
• password
• birthdate
• gender
• country
• IP address

Neopets' victims didn't get positive settlements. The company admitted the breach but didn't take further actions except giving some clarifications and suggestions.

Details: In Facebook of May 06,2016

1.  The leaked data does NOT include credit card or payment information.

2.  The security breach was an incident that occurred in 2012 before JumpStart acquired Neopets.

3.  Lots of leaked accounts are inactive ones.

4.  Plan to implement a password reset for all affected players.

The company seems to care just the data of current users safe. But the question is users' emails and birthdays have been leaked no matter active or inactive users are victims of the breach.

No one knows the exact number. But in the 2012's Neopets Database Leak, 68 million users were impacted and included 27 million unique emails, although it's an unconfirmed estimate. It's the most extensive leakage in the Neopian world in quite some years.

The reason why this hadn't been more widely publicized until May 2016, 4 years later, is that Jumpstart tried to hide it. It's only been addressed by the Jumpstart team in an announcement on their official Facebook page. The company may have many causes to delay disclosing, but a general rule is that the earlier victims know, the less risk they take.

Neopets and JumpStart emphasized lots of victims are inactive accounts. It's not an intelligent comment. Any company shouldn't keep inactive users' information, which isn't the right thing even if it isn't leaked.

The interesting thing is that Neopets gives instructions for possible breaches in the future:

• Make a detailed list of all Neofriends, purchases, and transactions.
• Be cautious on the laborious Request Support page.
• Ensure to work with your account.

This breach has two particular points to notice.

Neopets didn't disclose the security incident positively, which was publicly exposed through forums dedicated to trading stolen credentials. Namely, when one of the Neopets' apparent databases was put up for sale in May 2016, victims started to know the risk. It means cybercriminals have four years to exploit these data while victims have no warning.

Even after Neopets confirmed the breach, they kept its users rather than help victims. It never talked about any settlement.