Wikipedia defines Neopets as a ‘virtual pet website’, and the truth is that the parallels with the ‘tamagotchi’ are clear: not in vain, Neopets has been online no less than since 1999just a few months after the fever for the famous Japanese devices exploded in the West.

But Neopets is not in the news because of this, nor because of its recent commitment to NFT technology… but because those responsible for the website —and by extension, all its users— are in trouble, after it was made public that the platform has suffered a data breach that has led to the theft of the source code and a database that collects personal information of more than 69 million users.

In fact, the pack with the 460 MB of source code and the database is for sale for 4 bitcoins (approximately €94,000) on a Dark Web forum, after being posted last Tuesday by a cybercriminal known as TarTarX.

Bleeping Computer, the first publication that has echoed this leak, claims to have had access to a screenshot shared by the aforementioned TarTarX, in which it can be verified that the database includes the following information:

Real name and ‘nick’ of the user.

Address (initial and current) email.

Date of Birth.

Postal Code.

Sex and nationality.

Date of last login.

Password.

At Neopets, are open days open every day?

TarTarX has not revealed how it has managed to access said data, but it has made it clear that, even after they were released, I still had access to the updated data. According to Bleeping Computer, the owner of the hacking forum Breached.co wanted to verify the hacker’s claims by registering an account on Neopets.com himself, after which TarTarX sent him the data with which he had registered.

just a few hours agothe official Neopets Twitter account confirmed that the data of its clients “may have been stolen”so they had turned to “a leading forensic firm” and law enforcement to start the investigation of what happened.

“It appears that the email addresses and passwords used to access Neopets accounts may have been affected. We strongly recommend that you change your Neopets password. If you use the same password on other websites, we recommend that you change those as well.” passwords”.

Nevertheless, As long as it is not guaranteed that TarTarX or any of its associates no longer have access to the Neopets servers, the advice to change the password in Neopets is counterproductive, because the new one would end up filtering anyway. However, the suggestion to change it on other websites is most pertinent and urgent.

It is no use changing the password of a website if you are not sure that the hacker will not also see the new one

Bleeping Computer also cites a Reddit user named neo_truthswhat claims to have “read access” to the website’s data for a year now—and knows people who have had it for longer—as well as having taken advantage of a third party exploit to inject code into a function eval() of PHP with the aim of modifying the game as an April Fool’s Day joke.

The aforementioned user attributes these vulnerabilities to the fact that “the code is huge and spreads across many servers, and there are only a few developers to manage it“. Neo_truthshowever, states that the method he uses to gain access “is a general exploit that many websites have” and that don’t think it was the one used to trigger the leak.

Image | Based on originals by Neopets and Teamp0ison89