Neopets hack may have compromised the user data of millions

gamedeveloper.com:

Virtual pet website Neopets has been subject to a major security breach that may have comprised 69 million user accounts.

Confirming the breach on Discord, a Neopets representative said the company was "working on" a response. Hours later, the company took to Twitter to address the breach.

"Customer data may have been stolen," read the first of a three-part tweet. "We immediately launched an investigation assisted by a leading forensics firm. We are also engaging law enforcement and enhancing the protections for our systems and our user data."

Neopets has advised all users to change their email addresses and passwords, especially if those passwords have been used elsewhere. "As our investigation continues, we will update you as appropriate," continued the company. "We truly appreciate your understanding and patience at this time."

News of the breach first broke on Neopets community website JellyNeo after the alleged hacker offered to sell "the complete database and source code." The source code includes, among other things, personal information for all users and live access to the database that would allow any prospective buyer to modify data, credits, and in-game pets.

At time of writing, it is unclear if credit card information has also been compromised. Users are able to buy the title's in-game NeoCash currency using their credit card, along with a paid subscription tier that contains premium features such as unlocking dedicated forums and removing ads.

The hacker currently intends to sell the information for the price of four Bitcoin, which converts to about $100,000.

When it launched in November 1999, Neopets' claim to fame was allowing users to create their own virtual pets and take care of them, similar to