Neopets data breach exposes personal data of 69 million members


Virtual pet website Neopets has suffered a data breach leading to the theft of source code and a database containing the personal information of over 69 million members.

Neopets is a popular website where members can own, raise, and play games with their virtual pets. Neopets recently launched NFTs that will be used as part of an online Metaverse game.

On Tuesday, a hacker known as ‘TarTarX’ began selling the source code and database for the website for four bitcoins, worth approximately $94,000 at today’s prices. data sold on a hacking data sold on a hacking forum
Source: BleepingComputer

In a conversation with BleepingComputer, TarTarX says that they stole the database and approximately 460MB (compressed) of source code for the website.

The seller claims that this database contains the account information of over 69 million members, and in a screenshot shared with BleepingComputer, you can see the data includes members’ usernames, names, email addresses, zip code, date of birth, gender, country, an initial registration email, and other site/game-related information.

Schema for stolen database Schema for stolen database
Source: TarTarX

While the hacker would not reveal how they gained access to the website, they told us that they did not ransom the data to Jumpstart, the owners of Neopets, but have received interest from potential buyers.

At this time, BleepingComputer has not been able to independently verify the authenticity of the database. However, pompompurin, the owner of the hacking forum, verified the hacker’s claims by registering an account on and being sent their newly created record from the database.

“Vouch, I registered an account on the website and he sent the full entry,” pompompurin posted to the forums.

Furthermore, this verification showed that TarTarX continued to have access to the site even as they began selling the data.

Breach is confirmed

After the news of the breach spread online, the Neopets team, designated by the TNT abbreviation, has confirmed on the unofficial Neopets Discord server that they are aware of the security incident and working on resolving it.

TNT member Willow confirmed the breachTNT member Willow confirmed the breach
Source: BleepingComputer

Volunteer Discord moderators are warning that changing passwords on Neopets may not help secure your account if the attackers still have access to their servers.

“We should note that the effectiveness of changing your Neopets password is currently debatable as long as hackers have live access to the database, as they can simply check what your new password is,” reads an announcement on the Neopets Discord server.

“We cannot therefore strictly advise you on the best course of action given the circumstances.”

However, if you use the same Neopets password on other sites, you are strongly advised to change your password on those sites to a different one.

Neopets members can monitor a topic on the Neopets Help Site Jelleyneo or the Jelleyneo Twitter account, where other members are keeping track of any official updates from the Neopets staff.

This is not the first data breach for Neopets, with member data previously circulating online in 2016 from a breach that occurred in 2012.

BleepingComputer has contacted Jumpstart about the breach but has not received a reply at this time.

However, late last night, the Neopets Twitter account shared a statement that we have reproduced in full below.

“Neopets recently became aware that customer data may have been stolen. We immediately launched an investigation assisted by a leading forensics firm. We are also engaging law enforcement and enhancing the protections for our systems and our user data.

It appears that email addresses and passwords used to access Neopets accounts may have been affected. We strongly recommend that you change your Neopets password. If you use the same password on other websites, we recommend that you also change those passwords.

As our investigation continues, we will update you as appropriate. We truly appreciate your patience and understanding at this time. Thank you.” – Neopets.

Others already had access

While this breach appears to be new, Neopets has a history of unauthorized access to their systems.

A Reddit user named neo_truths told BleepingComputer that they have had “read” access to the database for at least a year after finding exploits in the site’s leaked source code.

neo_truths told us that they use this access to analyze and share information about the game mechanics on Reddit.

However, neo_truths said that they used someone else’s exploit to inject code into a PHP eval() function to modify the game as an April Fools joke.

Unfortunately, neo_truths says that the code is huge and spread out over many servers, with only a few developers to manage it. This lack of staff has led to numerous breaches by multiple people in the past, with one actively used exploit reported to the devs who ultimately fixed it.

“Neo is full of breaches and multiple people had (and maybe still have) access for years. The only difference is they use it privately (mostly for genning and selling offsite) and I try to address some known issues with actual data,” explains neo_truths in a comment on Reddit.

“I have already reported 2 exploits that allowed db access that other people had used (one of them for months/years hard to tell). I could have not found them if I didn’t have access myself.

“I could always choose to reveal my own method thus losing access which would be the correct thing, but at the same time that would let the others run free. But yes I understand that from a user perspective its very worrying someone can arbitrarily access their data.”

While neo_truths has had access to the Neopets database for some time, they told BleepingComputer that they were not involved in this recent breach and believes the threat actors gained access using a flaw unrelated to Neopets code.

“The exploit this time is unrelated to neo code, just a general exploit many websites have,” neo_truths told BleepingComputer.

Update 7/20/22 11:07 PM EST: Clarified that the Discord server is an unofficial Neopets server and that the announcement was from volunteer moderators. Added information about Neo_Truths.
Update 7/21/22 09:25 AM EST: Added statement from Neopets.


  • kingmustard Photo kingmustard – 4 days ago


  • iamjohndoe12355 Photo iamjohndoe12355 – 4 days ago


  • Everything Desktop Search Logo

    Everything Desktop Search

    Version: 20,972 Downloads

  • Zemana AntiLogger Free Logo

    Zemana AntiLogger Free

    Version: 50,744 Downloads

  • Zemana AntiMalware Logo

    Zemana AntiMalware

    Version: NA 301,925 Downloads

  • Windows Repair (All In One) Logo

    Windows Repair (All In One)

    Version: 4.13.0 2M+ Downloads

  • AdwCleaner Logo


    Version: 56M+ Downloads


Related posts

Kali Linux 2022.4 adds 6 new tools, Azure images, and desktop updates

Sarah Henriquez

Honda API flaws exposed customer data, dealer panels, internal docs

Sarah Henriquez

German Chambers of Industry and Commerce hit by ‘massive’ cyberattack

Sarah Henriquez

Leave a Comment