Neopets, a virtual pet gaming and online community platform, suffered a data breach in approximately 2012 to 2013 (publicly indexed by Have I Been Pwned on July 7, 2016, with a breach-date of May 5, 2013) when attackers exfiltrated a database of user account information from the platform. The breach data circulated among breach-trading communities for several years before being formally indexed in 2016, representing a significant disclosure-delay window during which affected users had no notification of their exposure. The breach was redistributed and indexed by DataBreach.com on December 1, 2024 with an expanded record count that may reflect the inclusion of data from a subsequent 2022 breach in which approximately 69 million Neopets accounts were exfiltrated by a hacker using the alias 'TarTarX' along with the platform's source code.

The breach affected approximately 27 million unique email addresses based on records indexed by Have I Been Pwned (with DataBreach.com listing approximately 68.5 million records that may reflect the combined 2013 and 2022 incident scopes). Compromised fields included email addresses, names, usernames, dates of birth, gender, geographic locations including ZIP codes for the U.S. user subset, IP addresses, and passwords stored in plaintext. The plaintext password storage represents a critical security failure that exposes the original credential values directly, with no cryptographic protection of any kind. The exposure of dates of birth combined with the platform's predominantly youth user base means that a substantial proportion of the affected accounts belong to users who were minors at the time of account creation, with many having transitioned to adulthood during the multi-year period between the breach and public disclosure.

For affected users, the practical risk profile combines long-running credential-reuse exposure with identity-fraud risk that has accumulated over the substantial gap between the original breach and present-day awareness. The plaintext password exposure means that any account where the user reused the Neopets password is fully compromised, with credential-stuffing risks expected on email, gaming, and other accounts that may have been created with the same password during a user's adolescence and carried forward into adult life. Date of birth and geographic location exposure for users who were minors at the time of the breach creates long-tail identity-fraud risk that may not be apparent until the user applies for adult financial accounts, employment background checks, or government services. Affected users who created Neopets accounts during their childhood should treat any password used on Neopets as fully compromised across all uses, change any potentially reused passwords on current adult accounts including email, banking, and employer accounts, enable two-factor authentication where available, and consider monitoring credit reports for any unauthorized account openings. The 2022 follow-on breach means that affected users should expect additional and ongoing exposure rather than a time-limited incident.

Online game and community platforms collect player accounts, emails, usernames, friend relationships, gameplay history, purchase records, and social activity tied to youth-oriented virtual worlds.

Neopets has continued to operate following both the 2013 breach and a subsequent 2022 breach in which a hacker known as 'TarTarX' advertised the sale of approximately 69 million member accounts plus 460 megabytes of compressed Neopets website source code on a hacking forum for approximately four bitcoin (approximately $94,000 at the time). The 2022 incident was acknowledged by Neopets via the platform's Twitter account and a forensic investigation, with Neopets engaging law enforcement and a leading forensics firm. The platform has had documented persistent security weaknesses including a 2020 disclosure by independent researcher John Jackson of exposed credentials, employee emails, and proprietary source code through a misconfigured Apache web server. A separate Reddit user named 'neo_truths' reported having read access to the Neopets database for at least a year before the 2022 incident through exploits found in the leaked source code. The platform has launched NFT-related features and metaverse-game initiatives in recent years under NetDragon ownership.