Neopets 2013 Data Breach

Neopets Virtual Pet Platform Breach (2013): 68 Million User Accounts Including DOB, Location & Passwords Exposed :: Long Disclosure Delay | ObscureIQ
ObscureIQ Breach Intelligence

Classification Tags

Unknown (2013 original); TarTarX (2022 secondary breach)Video GamesChildrenDate of BirthEmail AddressFull NameGenderGeographic LocationIP AddressPassword
High SeverityWebsite / service breach

Neopets Virtual Pet Platform Breach (2013): 68 Million User Accounts Including DOB, Location & Passwords Exposed :: Long Disclosure Delay

Virtual pet gaming platform.

Verified by ObscureIQ Intelligence
72/100Breach Risk Index
40Data Value
25Market Recency
512dSince Breach

Breach Intelligence Summary

Entity: Neopets · Actor: Unknown (2013 original); TarTarX (2022 secondary breach) · Sources: 8 references
Attack: Unknown
Profile: Platform · Virtual pet gaming and community · Online game and social platform · Global
Timeline: Breach (2013-05-05) · Indexed (Dec 01, 2024) · Year (2013)
Exposure: 68.5M records · 8 fields: Date of Birth, Email Address, Full Name, Gender, Geographic Location, IP Address, Password, Username
Status: Confirmed

Executive Summary

Neopets, a virtual pet gaming and online community platform, suffered a data breach in approximately 2012 to 2013 (publicly indexed by Have I Been Pwned on July 7, 2016, with a breach-date of May 5, 2013) when attackers exfiltrated a database of user account information from the platform. The breach data circulated among breach-trading communities for several years before being formally indexed in 2016, representing a significant disclosure-delay window during which affected users had no notification of their exposure. The breach was redistributed and indexed by DataBreach.com on December 1, 2024 with an expanded record count that may reflect the inclusion of data from a subsequent 2022 breach in which approximately 69 million Neopets accounts were exfiltrated by a hacker using the alias 'TarTarX' along with the platform's source code. The breach affected approximately 27 million unique email addresses based on records indexed by Have I Been Pwned (with DataBreach.com listing approximately 68.5 million records that may reflect the combined 2013 and 2022 incident scopes). Compromised fields included email addresses, names, usernames, dates of birth, gender, geographic locations including ZIP codes for the U.S. user subset, IP addresses, and passwords stored in plaintext. The plaintext password storage represents a critical security failure that exposes the original credential values directly, with no cryptographic protection of any kind. The exposure of dates of birth combined with the platform's predominantly youth user base means that a substantial proportion of the affected accounts belong to users who were minors at the time of account creation, with many having transitioned to adulthood during the multi-year period between the breach and public disclosure. For affected users, the practical risk profile combines long-running credential-reuse exposure with identity-fraud risk that has accumulated over the substantial gap between the original breach and present-day awareness. The plaintext password exposure means that any account where the user reused the Neopets password is fully compromised, with credential-stuffing risks expected on email, gaming, and other accounts that may have been created with the same password during a user's adolescence and carried forward into adult life. Date of birth and geographic location exposure for users who were minors at the time of the breach creates long-tail identity-fraud risk that may not be apparent until the user applies for adult financial accounts, employment background checks, or government services. Affected users who created Neopets accounts during their childhood should treat any password used on Neopets as fully compromised across all uses, change any potentially reused passwords on current adult accounts including email, banking, and employer accounts, enable two-factor authentication where available, and consider monitoring credit reports for any unauthorized account openings. The 2022 follow-on breach means that affected users should expect additional and ongoing exposure rather than a time-limited incident.

ObscureIQ assessment: High sensitivity because the platform historically involves minors and long-lived identities. Exposure enables account takeover, harassment, and resurfacing of childhood-linked profiles or behavior.

Breach Impact

The institutional impact on Neopets has been moderate across multiple incidents given the platform's continued operation through ownership transitions. Neopets has not been the subject of significant public regulatory action despite the multiple incidents, in part because its Hong Kong-based parent company structure complicates U.S. and EU regulatory enforcement, although the predominantly minor and youth user base would in principle implicate COPPA in the United States. Civil litigation has been limited based on publicly available information. The reputational impact concentrated within the legacy-online-gaming sector and among long-time Neopets users, many of whom have continued to use the platform across multiple ownership transitions and security incidents. The case has been formally cited in cybersecurity industry analyses of long-running gaming platforms as illustrating the persistent risk profile of legacy platforms with substantial historical user data and limited security investment.

About Neopets

Neopets is a virtual pet gaming and online community platform that launched in 1999, allowing users (predominantly children, tweens, and young adults at launch and continuing through the platform's history) to create and care for virtual pets, play browser-based games, participate in community forums, and engage in virtual-economy activities using in-game points (Neopoints) and real-currency-purchased Neocash. The platform has had multiple owners over its history including Viacom, JumpStart, and most recently NetDragon (a Hong Kong-listed online gaming company), with Neopets currently operated as a NetDragon subsidiary headquartered in Hong Kong. As an account-based gaming and community platform with a long-running user base, Neopets maintained extensive user account data including identity, contact information, demographic data, geographic location, IP addresses, gameplay history, and login credentials, with many active accounts dating back to the platform's early years.

Why They Hold Your Data

Online game and community platforms collect player accounts, emails, usernames, friend relationships, gameplay history, purchase records, and social activity tied to youth-oriented virtual worlds.

Recent Developments

Neopets has continued to operate following both the 2013 breach and a subsequent 2022 breach in which a hacker known as 'TarTarX' advertised the sale of approximately 69 million member accounts plus 460 megabytes of compressed Neopets website source code on a hacking forum for approximately four bitcoin (approximately $94,000 at the time). The 2022 incident was acknowledged by Neopets via the platform's Twitter account and a forensic investigation, with Neopets engaging law enforcement and a leading forensics firm. The platform has had documented persistent security weaknesses including a 2020 disclosure by independent researcher John Jackson of exposed credentials, employee emails, and proprietary source code through a misconfigured Apache web server. A separate Reddit user named 'neo_truths' reported having read access to the Neopets database for at least a year before the 2022 incident through exploits found in the leaked source code. The platform has launched NFT-related features and metaverse-game initiatives in recent years under NetDragon ownership.

Data Points Exposed

8 verified field types
Date of Birth High
Email Address
Full Name High
Gender
Geographic Location
IP Address
Password Critical
Username

Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.

Exploitation & Downstream Threats

Threat Activity:Critical
Primary downstream threats:
  • Credential stuffing against reused passwords across other platforms
  • Identity verification bypass using name + date of birth combination
  • Targeted phishing campaigns using exposed email addresses
  • Doxxing risk from physical address exposure
Threat vectors:
  • Identity verification bypass
  • Phishing, credential stuffing & account takeover
  • Name-based social engineering
  • Profile enrichment
  • Pattern-of-life analysis & physical surveillance
  • Geolocation & account flagging
  • Credential stuffing & account takeover
  • Cross-platform tracking & credential stuffing

Threat Actor: Unknown (2013 original); TarTarX (2022 secondary breach)

Unknown (2013 original); TarTarX (2022 secondary breach)
Unknown

Attribution and method are based on available breach intelligence. Reported attack vector: Unknown.

Recommended Actions

If you believe your information may be included:

Change Reused Passwords
Update this account and anywhere you reused the password; use a manager.
Password manager guide
Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Find 2FA settings
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.
IdentityTheft.govReport to FTC

Frequently Asked Questions

What happened in the Neopets breach?

Neopets, a virtual pet gaming and online community platform, suffered a data breach in approximately 2012 to 2013 (publicly indexed by Have I Been Pwned on July 7, 2016, with a breach-date of May 5, 2013) when attackers exfiltrated a database of user account information from the platform. The…

What data was exposed?

Verified fields include Date of Birth, Email Address, Full Name, Gender, Geographic Location, IP Address, Password, Username.

What should I do if I was affected?

Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.

Sources & References

Every claim on this page is traceable. This breach draws on:

Breach Index
DataBreach.com
Record & field corroboration
Breach Index
Have I Been Pwned
Record & field corroboration
Cross-source
9ghz
Independent catalogue listing
Cross-source
BreachForums_Official_Index
Independent catalogue listing
Cross-source
DataViper.io
Independent catalogue listing
Cross-source
DeepSearch
Independent catalogue listing
Cross-source
Keeper
Independent catalogue listing
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Risk Index scoring & downstream-threat assessment

Protect Yourself

Check If You're Affected

Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.

Get Free Breach Alerts

Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.

High-Risk? Get an Exposure Audit

Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.

Request Consultation