Neopets Database Hacked & Stolen; Over 69 Million Accounts Up for Sale


Neopets, a browser based virtual pet-keeping game that has been around since the late ‘90s, has recently been a victim of data breach.

Hackers who have come out as masterminds behind the attack say that they have access to personal account information of more than 69 million members, as well as a large portion of the site’s source code. They are also prepared to sell off the data for a fee.

Here’s what’s happened.

What is Neopets?

If you grow up with TikTok, then Neopets might be alien to you.

Designed and developed by two students at Nottingham University, Neopets launched late 1999 and rapidly gained a dedicated player base. Neopets allowed players to choose a—you guessed it—pet from various different fantastical designs that you could feed, play mini games to earn neopoints and battle with others in the battledome. These activities are spread across 19 different themed lands set in the world of Neopia.

In 2005, Neopets was bought out by Viacom (yes, the Viacom that also owns Paramount), overhauling the design of the website and pushed out more promotional content.

The game went on to become a media empire, boasting a trading card game, a plushie line and various offline games. Neopets was riding high in the years of 2011-2014, where it garnered 1 trillion page views in 2011.

The downfall began when in 2014, education technology firm JumpStart acquired Neopets. The site started to be plagued with glitches and even experienced a similar data breach, where the information of 70 million Neopets account members was stolen.

Neopets have been on the downward trend for quite some time now, mainly due to the end of support for Flash from 12 Jan 2021, which is what the website was run on for decades.

That was when Neopets pivoted (again).

In a press release on 22 Sep 2021, JumpStart announced a partnership with blockchain firm Raydium to produce 20,500 “unique, algorithmically generated lovable Neopets NFTs.” This decision was largely met with negativity, with big dedicated fan sites such as Jellyneo and Dress To Impress deriding it as a cynical cash grab.

Netizens have also seen the writing on the wall, saying that the team at Neopets are not trying to save the game but rather milk it dry and close it for good.

Nevertheless, as of July 2022, Neopets is largely still the same gameplay wise. As many web browsers have released an update that disables Flash by default, Neopets have opted to migrate to support mobile.

They are working at upgrading and optimizing the website for mobile devices. As of right now, it is unclear if there will be a full Neopets app out in the future.

This ensures that games and features are easily accessible again after support for Flash was stopped back in 2021, it caused a lot of complications with playing the game itself as many mini games and features were locked by Flash support.

The Data Breach

In the latest data breach, not only are usernames and passwords associated with the platform at risk, but email addresses, Neopets users’ ages, genders, nationalities, birth dates and even IP addresses are allegedly being auctioned off.


Although let’s be frank: chances are, the email addresses would mostly be [email protected], and those emails are most probably inactive.

The official Neopets Twitter account and Instagram accounts confirmed these allegations and has issued a warning to users, advising users to change their Neopets password, as well as any accounts that share the same password.

According to Bleeping Computer, the data appears to have been put up for sale on popular hacking forum,

One particular hacker, known as TarTarX, claims to have live access to the compromised database. The hacker is demanding four bitcoins, which amounts to about SGD$117,091, for access to a snapshot of said database.

The hacker has also said they are “open to hearing offers” and that they will accept other cryptocurrencies in exchange for the data. For additional payment, they are offering live access to the database.


The validity of the claims appear to have been validated by the hacking site’s owner, pompompurin, who created an account on and was promptly sent their data back. This implies that the hacker may still have access to the data, which means that anyone scrambling to change their passwords is still unsafe from the breach.

Of course, the real question is…we’ve all forgotten our passwords. Right?

Read Also: