Neopets Account Safety
|Schemes/Dangers||Ways To Prevent|
When people hear the word "hacker," they tend to think of Hollywood stock characters: computer geniuses who break into world defence databases in order to steal missile launch codes. In reality, there are many kinds of hackers, but most use their skills to help instead of harm. They look for security holes or bugs and report them to administrators so they can be fixed. The ones that get into systems for malicious purposes are black hat hackers, also known as crackers.
Then there are scammers. These people use simple tactics to get their hands on your Neopoints/items/pets, or to get you to reveal your private information.
Neopets does have security measures in place to help protect your pets and belongings, but new pages of content go up on the site every day, and once in a while, someone will find a new thing to exploit. This article outlines the common ways someone can get into your account, so you know what to be wary against.
"Give me your password and I'll do favours for you or your pets!"
"Let's share an account so we can get rich quicker!"
This tends to be one of the ways younger or newer users lose their accounts. Someone, whether it be a stranger on the Internet or even worse, your real life friend, will offer to take care of your account. It might be to feed your pets while you go on vacation so that they won't die or it might be to play a game for you so that you can win an avatar or trophy. Forget it; if you do this, you're handing over your password on a silver platter so that the person can take your Neopoints, items, and even your pets!
If you're a newbie, you might not know this, but Neopets cannot die. When you don't feed them for a prolonged period, it will say that they are "dying," but they never actually starve to death. Going on vacation? Have side accounts and don't have time to feed all of your pets? You can send them to the Neolodge to be fed and pampered. The hotel you choose doesn't matter; you can send them to Cockroach Towers and they'll still be kept bloated for the duration of their stay.
Sharing accounts, even if it's just for a limited time, even if it's with someone in your guild, is against Neopets' Terms and Conditions (the set of rules that you agreed to follow when you signed up).
Redirection to Other Web Sites
"Go to this web site, fill out a survey and win tons of items and Neopoints!"
"Free cheats/hacks/programs/secret areas for Neopets!"
You tend to see these types of advertisements on the Neoboards or in Neomail messages. Someone posts a web address to a site, claiming that if you answer questions, you'll be eligible to win tons of prizes, such as endless paint brushes, codestones, and bottled faeries. Alternatively, they'll say that the site has instructions on how you can hack and cheat your way to fame and fortune. Of course, the person will insist that everything is genuine and will work.
Somewhere on the site, there'll usually be a section that asks for your password or for you to download a file. By now, alarm bells should be ringing in your head.
Repeat after me: if it seems too good to be true, it most likely is! There is no magical Neopoint generator, no secret vault filled with rare items that you can access if you input your user information or e-mail address into a form. In addition, be careful what files you download from the Internet! There are all sorts of programs out there that record what you type into your computer (i.e., keyloggers) or are designed to steal your personal files. Never unpack or run .ZIP, .RAR, and .EXE files from suspicious sites.
Impersonating The Neopets Team (TNT)
"TNT needs your password to fix glitches/give you a prize/give you a job/renew your account!"
Sometimes, you might get a fake message, via e-mail or Neomail or something else, that claims to be from Neopets staff members. It might go something like this:
Think about it: if this really was from Neopets, why would they have to ask you for your password? It's their web site and they coded the databases!
It's been said repeatedly, but here it is once more: Neopets staff members (even former staff members) will never personally ask for your password! The only time you should be inputting your password is when you're using the Neopets site (logging in, changing your user lookup, etc.).
Fake Login Pages
"Hey! Innocent login page right here for you to type in your password!"
Sometimes, cheaters will create fake Neopets login pages where typing in your password will only be giving it to them.
So when you do log in to Neopets, make sure you're doing it at the correct place! The web address (or URL) box in your browser should say http://www.neopets.com/login/ If it is anything else, don't proceed!
Public or Shared Computers
"It's okay, your user information will be deleted if you close the browser window!"
"I'll log you out for you!"
No matter what anyone else says, always log out of any and all accounts once you're done on a public or shared computer. If you don't, the next person to come along may be tempted to steal them.
Cookie Grabbers (CGers)
Places they can show up: the Neoboards, user lookups, pet pages, user shops.
This is perhaps the most infamous way for someone to get into your account. It's also one of the most misunderstood. Let's see if we can clear up some misconceptions.
A web cookie is a text file stored on your computer by your Internet browser. It contains data about your login session and site preferences (such as the site theme you're using). It's not a virus or spyware.
It's worth mentioning that a cookie grabber only grabs the cookie for the site on which it's executed. For example, a cookie grabber on Neopets takes only your Neopets cookie.
If someone puts the code for a cookie grabber into their user shop, they'll usually have some extremely cheap items in there as well (e.g., codestones, paint brushes), to entice users to visit. When you're presented with a link to something on Neopets, hover over it with your mouse and look at the bottom left corner of your browser. This will display the destination of the link. Another way to do this is to right-click on the link and check its Properties. If you see phrases such as <script>, document.location, and document.cookie, or anything that suggests you're being led to another site, don't click on it!
Additionally, there have been isolated incidents where cookie grabbing code is inserted into the post in a topic, rather than the link to a topic. The code is not visible unless you have blocked font effects in your Neoboard preferences, or view the source code of the page (usually done by right-clicking and selecting "View Page Source"). These incidents do not last for long before TNT comes and deals with it, but if you want to take some precautions, you can chat on the Neoboards using a side account, one that does not have priceless pets or items.
If it's too late and you are redirected to a login page/new place, or if there's a pop-up that comes up quickly then disappears, or if you start seeing weird things happening in your account, please see the "I Think I've Been Cookie Grabbed" section.
Rough definition of hash: a "jumbled up" version of a particular piece of data.
If the data is modified, then the hash value also changes.
A list of hash values can be obtained if someone manages to break into a database of account information on a web site. The list will also contain usernames and e-mail addresses. Hashes will look like strings of gibberish but they represent passwords. These cannot always be decrypted into plain text, so the cheater will try to brute force it, meaning they'll convert common passwords and phrases into hashes and see if any of them match the ones on the list. If there is a match, then the cheater will know your password in plain text, and if you use the same password for multiple sites, they'll be able to access those accounts.
How to Defend Yourself
Your Account Details
Things that only you would know about your account!
This won't prevent you from getting your account stolen, but if you're filling out a support ticket, it will help prove to TNT that you are the true owner. Try to remember or have the following information handy:
- Previous passwords you used for the account
- Previous e-mail addresses you used for the account
- The birth date you used to sign up
- Your Neofriends (the total number, some examples of their usernames)
- Total Neocash purchased/NC you had on hand/any recent NC purchases
- Rare item codes redeemed
- Any warnings/suspensions received
- Pets you created/transferred/abandoned
- Items in your closet or equipped to your pets
Additional information you might consider:
- Stocks you own
- Any unpriced items in your shop
- Your safety deposit box items
- Amount of NP in the bank
- Items in your Neohome storage shed
Recent screenshots of various areas of your account would also be useful.
Make a strong password!
Change your password every once in a while!
Never give out or even hint toward your password!
Don't use the same password for all your accounts on the Internet!
The point of having a strong password is to make it harder for others (especially those with hash lists) to guess it. Try to make it at least 8 characters long and use a combination of letters and numbers. For added complexity, use a combination of uppercase and lowercase letters, numbers, and characters such as the period, the number sign, the dollar sign, etc. (Neopets allows the following: !@#%^&*$+._()) Don't make it a dictionary word and never ever make it your name or birth date!
You should also have a different password for your various accounts online. That way, if someone did manage to get your Neopets password, they wouldn't be able to access your e-mail or online bank account as well.
There are error messages in place that stop you from posting your password on the Neoboards, guild message boards, and through Neomail, but you should not be trying this anyway. Don't even say it in instant message chats because it will definitely not be filtered out.
Use a Personal Identification Number (PIN)
Don't make this the same as your bank card PIN!
The great thing about a PIN is that it can't be obtained through cookie grabbing. However, don't make yours a blindingly obvious sequence, such as the year of your birth. TNT has even restricted you from making your PIN 1234 because it could be guessed so easily. Use PINs to protect the most important parts of your Neopets account. You can do this by going to the PIN preferences page.
Enable a Login Birthday Prompt
Works best if you do not reveal your birthday to others!
This means that every time you go to log in, you will also be asked to enter the birth date that is associated with the account. Before you activate this option, check your account information to make sure you know the correct birth date. Then visit your site preferences and check the box next to "Login Birthday Prompt."
If you are going this route, you should also ensure your entire date of birth is not publicly viewable on a forum, user lookup, or social media site.
NoScript Add-On for Firefox
Otherwise, the site will not work properly.
If you are on Neopets and accidentally click on a cookie grabber link, your cookie will not be stolen because the script came from a site that you've most likely never been to, thus cross-site scripting is automatically blocked. For added protection, you can also use RequestPolicy.
It might seem like a hassle to select "Allow ..." for every site you trust, but it's definitely worth it in the end.
Here are some screenshots of my NoScript settings (I mostly kept the default ones). Click on an image to view the full size version.
I like to always have the icon showing at the bottom of my browser window so I know when objects have been allowed or blocked.
Clicking on the icon will bring up the menu of options. Alternatively, you can right-click on a page and hover over "NoScript."
For sites that I trust, I usually allow the domain (in this case, neopets.com and images.neopets.com).
For sites that are new to me, but I know would have no reason to engage in shady activities, I usually select "Temporarily allow all this page." This means that the next time I start up Firefox and visit the site, everything will be blocked again.
If you're not going to be browsing Neopets and you don't want to be bogged down by NoScript constantly blocking objects, you can temporarily disable (but not uninstall) the add-on. To do this, go to Tools -> Add-ons. You can re-enable it at any time afterward. Personally, I never use the disable option in the first place, but it's up to you.
Too many add-ons will slow Firefox down, so only install essential ones.
RequestPolicy Add-On for Firefox
This add-on enables you to block cross-site requests, including Cross-Site Request Forgery (CSRF) attacks, wherein your browser makes requests to another web site without your consent or knowledge. RequestPolicy can be used in conjunction with NoScript to give you a wider range of protection (i.e., the two add-ons focus on entirely different things and should not be mistaken for each other).
After you successfully install it, you'll be presented with a list of recommended sites to whitelist (meaning you'll automatically allow cross-site requests to and from the domains listed). You can tick or untick the boxes to your preference.
You'll notice a flag icon in the bottom right corner of your browser window. Clicking on it brings up the menu of options and it's very similar to NoScript. Here are some screenshots of my RequestPolicy preferences (I mostly kept the default ones but I added some whitelist sites right off the bat). Click on an image to view the full size version.
When you go to a site now, you'll probably see the flag icon turn bright red and there'll be a lot of broken images or blocked objects on the page. Click on the red flag to see what's being blocked. Alternatively, you can right-click on a page and hover over "RequestPolicy."
jellyneo.net to neopets.com -- our site requests a lot of Neopets images.
jellyneo.net to dreamhost.com -- this is for things relating to our web host, such as our site counter and donation link.
jellyneo.net to google-analytics.com -- this is so we can gather site statistics.
These are all okay to allow.
On Neopets, you might see these ones:
neopets.com to google-analytics.com -- for gathering site statistics.
neopets.com to doubleclick.net -- related to ads and marketing. DoubleClick is a division of Google.
neopets.com to scorecardresearch.com -- for market research purposes.
neopets.com to adbureau.net -- for market research purposes.
neopets.com to somethinghashappened.com -- for loading Neopets related ads.
Nothing malicious going on there, either.
On Neopets, do not select "Temporarily allow all requests" or "Allow requests from neopets.com."
You want to block everything by default and choose which specific requests to allow.
Once again, it seems like a hassle to do this for every site you visit (including Google Images, recaptcha.net, social media sites, web mail, etc.), but the advantage is that you now have a more active role in determining your privacy and security while surfing the Web.
If you're not going to be browsing Neopets and you don't want to be bogged down by RequestPolicy constantly blocking objects, you can temporarily disable (but not uninstall) the add-on. To do this, go to Tools -> Add-ons. You can re-enable it at any time afterward. Personally, I never use the disable option in the first place, but it's up to you.
Too many add-ons will slow Firefox down, so only install essential ones.
Additional Software and Updates
Programs that keep your computer safe and free of clutter.
Anti-virus software helps to tackle trojan horses, worms, keyloggers, and other malicious programs that may be on your computer. They often offer firewall services as well, which block outside users from gaining unauthorised access to your networks. Some of the more high tech software packages might require you to pay money, but there are some good free ones too, including Malwarebytes' Anti-Malware and AVG Anti-Virus Free Edition.
Your Internet browser should have options to delete your web history, cache/temporary Internet files, cookies, and offline web site data, but if you want to do this for multiple browsers at once, there's CCleaner. The program also allows you to remove temporary files for other applications, which frees up space.
Whatever software or add-on you use to keep your computer safe, it's important to keep them current by installing updates as they become available.
Take a minute to think about the situation you're faced with.
What if you don't use Firefox or can't install programs because you're on a family/work computer? That's alright, you can still avoid dangers just by being careful with where you go on the Internet. I realise the definition of "common sense" is debatable, but here is something every Neopian should know:
The other thing I would suggest is to be mindful of what bits of personal information you're revealing to strangers/acquaintances on the Internet. If you're in a chat and someone asks for your credit card number, I think it's pretty obvious that you shouldn't give it to them, but what if the subject of the conversation was your mother's maiden name? The city where you were born? The name of your first pet?
Many e-mail and banking providers have a "secret question" system set up. This means if you forget your password to those accounts, you can answer a question (that you chose and that only you should know the answer to) in order to retrieve it. Lots of users who have had their Neopets account broken into actually had their e-mail account(s) compromised first.
Does that mean that you should stay away from everybody? No. There's no need to be overly paranoid about this. You can have friends and a social life online without spilling every personal detail about yourself. You can be a Neopets veteran, go on the Neoboards on a daily basis, and have an account that has never been compromised. When you are confronted with a questionable situation, just a take moment to think about the safest course of action.
I Think I've Been Cookie Grabbed (CGed)!
What to do after you think you've clicked on a cookie grabber on Neopets.
- Go to neopets.com, log out immediately, and close the browser window you're on.
Cookies are based on sessions by default. Logging out and exiting the browser window destroys the current session.
- Relaunch your browser and log back in to Neopets.
- Change your password.
- If you don't already have a PIN or birthday prompt, set one up.
If you find that your account was frozen for your protection by TNT, you can submit a ticket on their Help page (it works even if you're not logged in). For Issue Type, choose Frozen Accounts and for the Reason, choose Possibly Scammed. Provide as much detail in your report as possible and leave a valid e-mail address so a Neopets support representative can reply.
- Be aware of Neopets account rules (see the Terms and Conditions)
- On the subject of the above, please note that it is against the rules to lie about your age, even as a joke
- If an offer from another user seems too good to be true, it probably is
- Look at all links carefully and don't click any that lead to suspicious sites (such as sites offering cheat programs)
- Keep track of important details about your account, in case you have to prove to TNT that you are the rightful owner
- Compose a strong password with a mix of letters, numbers, and other characters
- Keep your password a secret (don't leave it written on something that can be accessed by others)
- Don't use the same password for every account you have on the Internet
- Change your password every once in a while
- Make a PIN on Neopets to protect the most precious parts of your account
- Enable a birthday login prompt
There is also the RequestPolicy add-on, which blocks cross-site attacks
- If you use anti-virus software or add-ons, install updates for them as they become available
- Always log out of all accounts when using public/shared computers
- Keep up with the news on Neopets and Jellyneo to hear about anything that might endanger your account!
Alas, we don't have the capability to build the world's first cookie-defending Megazord.
This article was written by: DragonBeak & Illy