What happened
According to public breach records, the Neopets data breach on May 5, 2013 is reported to have exposed the personal information of 26,892,897 accounts.
In May 2016, a set of breached data originating from the virtual pet website "Neopets" was found being traded online. Allegedly hacked "several years earlier", the data contains sensitive personal information including birthdates, genders and names as well as almost 27 million unique email addresses. Passwords were stored in plain text and IP addresses were also present in the breach.
Passwords in this breach were reportedly stored in plaintext.
In May 2016, a set of breached data originating from the virtual pet website Neopets was found being traded online, with the underlying compromise dated to May 2013. The breach exposed approximately 26.9 million accounts, including usernames, email addresses, names, dates of birth, genders, geographic locations and IP addresses. Notably, the account passwords were stored in plain text rather than hashed, meaning credentials were directly readable once the data surfaced.
What data was exposed
The following types of personal data were compromised:
- Dates of birth
- Email addresses
- Genders
- Geographic locations
- IP addresses
- Names
- Passwords
- Usernames
Breach details
| Detail | Value |
|---|---|
| Breach name | Neopets |
| Date | May 5, 2013 |
| Accounts affected | 26,892,897 |
| Domain | neopets.com |
This summary is compiled from public breach-notification data and known leak databases. Figures reflect what those sources report and may be revised as more is learned. If something here looks wrong or you think your information is involved, contact our support team.
We report breaches as a factual record to help people check their exposure. Inclusion here is not an allegation of wrongdoing or negligence by Neopets; it reflects a publicly reported security incident.
What to do now
Based on the data exposed in this breach, here are the steps you should take:
- Change your Neopets password immediately, and because the passwords were exposed in plain text, change that same password anywhere else you reused it.
- Enable two-factor authentication on your email and any accounts that shared the exposed password, since reused credentials are the primary risk from this leak.
- Treat email tied to this account as a phishing and spam target, and be wary of messages that reference your username, date of birth, or location to appear legitimate.
- Be alert for social-engineering or identity-verification attempts that abuse the leaked date of birth, name, and location, and avoid using those details as security answers elsewhere.
Check your exposure
Data breaches are one of the ways your personal information ends up on data broker sites. Run a free scan to see which sites are exposing your personal data — and take action to remove it.
Sources
- Have I Been Pwned: Neopets Data Breach
- Update: Neopets Is Still A Thing And It's Exposing Sensitive Data — The Security Ledger
Find out what data brokers know about you
Run a free scan to see which sites are exposing your personal information — name, phone, address, email, and more.
Start your free scan →