Jan 3 - Aisha Day
Jan 6 - Gnorbu Day
Jan 11 - Buzz Day
Jan 14 - Sloth Day
Jan 16 - Elephante Day
Jan 29 - Kacheek Day
Welcome to Jellyneo.net!
Welcome to Jellyneo, the #1 ad-free Neopets help site! We offer news and tips for the popular online game Neopets. Here's what you can find on the site:
You can also register a jnAccount; it's free and lets you access special features! (Find out more!)
Pick your news:
JN Updates |
Don't forget! The Chef Bonju avatar is only available until August 31st! You only have a couple weeks left to get it. For the solution, click here
. [Close Alerts]
UPDATE, July 25th, 3:30 PM NST:
There have been no further updates regarding the breach by TNT, nor any firm confirmations that the vulnerability has been patched.
UPDATE, July 21st, 11:30 PM NST:
As of approximately 10:50 PM NST tonight, upon visiting any Neopets.com page you will first be greeted with the following Important Announcement, which is the same text we have seen as the first official announcement yesterday (and also repeated in today's New Features
Just click to "Continue To Site" as we've yet to receive confirmation that the vulnerability has been patched.
UPDATE, July 21st, 7:30 PM NST:
There have been no further updates regarding the breach today by TNT, nor any firm confirmations that the vulnerability has been patched.
UPDATE, July 20th, 7:43 PM NST:
TNT has posted a statement to Twitter
and to the Neoboards
about the breach. Their statement doesn't seem to confirm that the vulnerability has been patched. They have also not confirmed the safety of Premium/Neocash payment methods (we've been asked this a lot by Neopians and specifically escalated this issue with TNT—we don't believe payment methods were breached, but we're only fansite volunteers, not TNT and would like them to confirm).
The tweet and Neoboard message:
Neopets recently became aware that customer data may have been stolen. We immediately launched an investigation assisted by a leading forensics firm. We are also engaging law enforcement and enhancing the protections for our systems and our user data. (1/3)
It appears that email addresses and passwords used to access Neopets accounts may have been affected. We strongly recommend that you change your Neopets password. If you use the same password on other websites, we recommend that you also change those passwords. (2/3)
As our investigation continues, we will update you as appropriate. We truly appreciate your patience and understanding at this time. Thank you. (3/3)
As per TNT's suggestions, we recommend you update your password
(via "My Profile"). However, since TNT has not confirmed that the vulnerability has been patched, be prepared to change it again once we get the all clear.
If you share your Neopets password with any
other website, you should change that immediately
UPDATE, July 20th, 12:48 PM NST:
TNT member Willow has issued a statement regarding the active breach:
Hi everyone— we’re aware of the data breach and are actively working on it. Will provide more information ASAP.
We'll keep you updated as TNT posts more. Until then, please read below on how you should be making sure your other web accounts are secure and do not share login information with your Neopets account(s). Since this is an active, unpatched breach, changing your Neopets password or PIN is not advisable at the moment.
We have some serious news today. Thanks to an anonymous tipster, we've been made aware that the database and source code for Neopets.com has been breached, and over 69,000,000 user accounts have been exposed.
Full account information, such as email address, passwords, gender, IP addresses, countries, and birthdays are available for sale on a hacker website.
Access to the full database and a copy of Neopets.com source code is being offered for 4 Bitcoin (~$94,500 USD at time of writing). For an additional fee, the seller is offering live access to the database.
You may have read or heard of some reddit posts being made over the past few months by a user who claims to have had live access to the Neopets database and source code since late last year. (Posting about things such as users who gamed the Mystery Pic contest with the Scary Tree Stamp as a prize, or users who have been shadowbanned from the Altador Cup.) TNT has failed to address this security leak, and now we're finding someone else selling access on the black market.
What Can I Do to Protect My Account?
Due to the nature of live access being available, we do not recommend changing your account password or PIN at this time. (The hacker and/or buyer could just get a new copy of whatever you changed your password to with their live access.) We will post an update when it's safe to update your account credentials.
This isn't the first time the Neopets.com site has been breached, and is likely not the last. We cannot emphasize enough
that you should be using unique passwords across every website. If you share your Neopets.com password with any other websites, those accounts are highly at risk. Paying $95k to hack Neopets accounts seems pricey, but the value in a purchase like this will be the ability to test your Neopets.com password on many other sites in brute force attacks.
If you share your Neopets.com password with any other website, update the password on those other sites immediately
. You should also consider upgrading your digital lifestyle to include a password manager, such as 1Password
, which stores unique hard-to-guess passwords for you and will greatly reduce your risk going forward.
There are 231
comments below. Add yours!
Dang, sharing this with my Neofriends immediately. Thank you for the information and suggestions on what to do.
Would be amazing if, you know, TNT did anything ever about the decrepit state of the site. Maybe this will force them to.
Sincerely hoping this gets addressed and fixed quickly.
Oh boy! *ANOTHER* breach! Good job, TNT, A+ security
So it's just account data, right? No access connected to the NC mall or premium or anything? (i.e. no access to purchase/CC data?) So glad I've never given Neo my credit info...
I'm feeling less and less optimistic about the future of Neo every day, and this doesn't help at all.
Oh no. Oh dear.
I really hope this causes so serious security changes ASAP.
Also can't help but wonder if this hack is low-key linked to this whole crypto currency anti-neopets group of Meta.
jesus chrystler jeep grand cherokee.
@mavegibson: Payment information for Neocash or Premium isn't being advertised here. Presumably that would be the headline on the "For Sale" post if it was.
Fwiw, I know *nothing* about how Neopets actually processes payments, but knowing they work with another payment processor, I would assume that they only store payment tokens from the processor and do not store CC/Paypal information on the Neopets servers.
It's pretty standard for a site that takes payments to only store an identifying token provided by the processor and not the payment details (CC #, billing info, name on card, etc.)
July 20, 2022 12:12 PM NST
genuinely just about ready to freeze my accounts and move on at this point. just one thing after the other with this site, i swear. thanks for the heads up, JN.
after losing my neopets account years ago and just getting it back this year, the amount of disappointment i feel is exhausting.
man when will the staff do something to have more security with the accounts? I donnot understand, this has happened many times.
July 20, 2022 12:24 PM NST
U g h .
hhhhh and I was having such a great day
Should I just avoid the site for now? Or is it fine to go on the site? I mean I actively changed my most important information yesterday. Cause I got an email saying I was locked out of an account because I guess the password to many times. I am wondering now if someone got information from neopets. Thankfully it was just a prepaid visa card that might have like two dollars on it.
Is it safe to go on the site right now, or no?
can neopets be sued due to those data protection regulations(?) ?
July 20, 2022 12:52 PM NST
Goodness gracious. I don't have anything else to say, but TNT doesn't cease to disappoint.
Hopefully they made a back-up that's not too far back they can roll back to if the worst comes. That said TNT should have immediately put the site DFM as soon as this became public knowledge.
This is why you don't ever have the same pword between sites (and to stay extra safe, don't safe credit card info). In addition to Neo having these before (and likely will in the future), there's been other services I've used which have had similar breaches. Remember everyone, the safest way to remember all your passwords is the old pen & paper, can't hack into seeing that.
I also think the site should be taken down until this is fixed. Although would that really do anything? :/
Well... there's a class action lawsuit.
It would at least keep Neo accounts safe. While whoever purchases the info would want it to try to use them on other sites, they still have access to your account.
I'd assume yes as doing stuff isn't going to prevent the info that's already been taken and, as far as we know, they can get the info again.
If I was to suggest anything, go through the Ticket form and write down the information they're asking for as well as anything else you can think can verify it's your account (and may want to write down and even take screenshots of your Neopets and other valuable items): https://www.jumpstart.com/support/np-classic
I remember the last time this happened. Didn't know there had been a breach and panicked when I was suddenly logged out of my account and had to reset my password.
July 20, 2022 1:33 PM NST
If this hack happened because of some anti-NFT idiot. It just feels too close to that drama for this not to be a coincidence.
@bacon: Nah I think this would be because of some pro-NFT idiot, not an anti-NFT one
@bacon, how does that make sense? Anti-NFT but selling data in exchange for crypto?
*** IF YOU USE THE SAME PASSWORD YOU USE FOR NEOPETS, ELSEWHERE, CHANGE YOUR PASSWORDS ON THOSE OTHER SITES IMMEDIATELY***
Not surprised, given the leak of info since late last year... Some of such which can only come from two sources - Insider leaking out, or hack/access gained. These baboons wont fix it though. They likely will just bury thier heads in the sand (like they always do), wait for the dust to clear, and then pretend like all is good again. With ZERO change. Robotnik would be very much impressed with thier stupidity.
AS others mentioned, this is why using unique passwords for every site is always recommended. You can take it a step further and create a free email just for specific sites, and use fake birthdays and such. I never use my real birthday or etc unless it is a website that absolutely requires it (such as banking, goverment, etc).
Such a leak where they have an email, and a password which could possibly work on other sites (if your bad and use the same word everywhere!), are extremely valuable. Same with birthdays, which often are used for verification checks. In a worst case scenario, they can use this information, gain access to other sites and piece together even more info on you.
To think that THIS would be the karmatic consequence of deciding to fully embrace NFTs...ironic.
Also, I bet JS REALLY wishes they did a Purge at literally any point since obtaining the site now...sure, it'd be like using a bandage to fix a bullethole still, but at least it'd be a tiny bit better than the situation they're in right now...
There have been so many account hacks among my friends and family this past week! email and Facebook.
At least I know for sure that my Neo PW is unique among all my accounts.
July 20, 2022 2:43 PM NST
the white hat hacker with live access is responsible for fixing a few issues that TNT dragged their feet on such as a filter for "gay" persisting despite the changes to LGBTQ terms; a few days after they posted a comment detailing a way TNT could ctrl+F in the code to look for the filter more easily, suddenly pets with "gay" in their names were createable. unfortunately their findings regarding r100 items and why they don't seem to restock aren't as easy to implement for whatever reason, lol.
July 20, 2022 2:48 PM NST
Why is it that it's 2022 and companies are still storing things in plain text? :')
It's my birthday.. yaaaayy...
Someone's about to lose their job.
Tbh, this was inevitable. I'm just glad that all of my Neopets passwords are unique, for this exact reason.
Genuine question but is it safe to still go on Neo or should I just wait until the breach is over? I know it’s useless right now to change my password but is visiting the site itself dangerous?
@dave - Thanks. That much, at least, is a relief.
@pikachu315111 - That's good advice. Thankfully I already keep all this info on hand, but it's something everyone should be looking at doing today.
But.. but.. the wonderfulness of stackpath is supposed to protect us! *rolls eyes*
Going over my list of accounts and PW's and UN's, I've confirmed I don't use the same username, PW, or email in combination anywhere else. I don't use my real name on Neo... Unfortunately I do have my real birthday on the site, but for all anyone knows it could be fake since most people's on Neo are. And I've used a VPN on Neo for most of my log ins for well over a year, although there were a few times I used a computer that didn't have a VPN. I'm pretty sure my Neopetting for at least the last 2 months as been VPN only. I don't know how far back Neo records IP addresses though. =/
Thankfully, I use different passwords elsewhere.
At this point, I wonder why I still play this game. Seriously.
*sigh* Thanks for the heads up. I've gone and screenshotted my bank account etc and saved all the pics of my pets, just in case whoever buys it decides to go on a griefing spree.
@oceanhazel: There's no concern about visiting Neopets.com and playing as you normally would. If there's any concern for that, we'll definitely add that to the post with some flashing lights.
@peppermint: StackPath is a tool to prevent automated site visits, such as game score sending or autobuyers in restocking. It has its place, but it's not a tool for situations like this.
Just checked my plethora of passwords and pins; All of them are unique from any others I have, so I have no worries on the front. I did, however, make sure the email address I use for Neopets has two-step authentication set up and I recommend anyone who hasn't done that do the same.
I hope everyone stays safe!
@dave... Yes, but the wording of the message that always pops up from stackpath implies that's it protects against online attacks... so I think that's what most people think it does (protect the site against hackers).
Though on the subject, it doesn't seem to work in the way it's intended either as some kind of autobuyer bot seems to still be getting most of the r99 album items.
ugh, not good, gave a heads up to my neofriends and roommates as well, not surprised it happened though, sigh, thanks for the update.
I wonder if, given the timing, this particular incursion could be traced to a disgruntled user who decided the AC was the last straw?
This is terrible! I let my neo friends know on fb.
Such a shame. I hope that they are even capable of fixing this, I am sure with the budget JumpStart gives them they don't have a dedicated security specialist or even a database specialist. I really really hope they can get to the bottom of this, out of all the ways for Neopets to slowly wittle away this'd be the worst. I love this game so much and it pains me so much to think it might be over, I'm genuinely concerned I value this site a lot
July 20, 2022 5:07 PM NST
I wonder WHY they didn't put the site DOWN while all of this dung is happening.. It also makes me think this is done by an insider (or possibly an ex employer) for such a ridiculous ransom
July 20, 2022 5:13 PM NST
*employee, sorry =_=
It's always something lately!
Thank goodness I not only have a different, unique pw on each of my Neopets accounts that is not used anywhere else, and I don't use my real b-day, PLUS I have all the info written down (Including each time I change my pw and the date I did so) in a notebook, along with all of my pets and their bdays and all sorts of info like that. And yes, I have files with screenshots of my pets and galley, stuff like that too.
July 20, 2022 6:12 PM NST
This is why I keep Neopets and other "risky" sites on dummy emails. Consider using Outlook/Hotmail's alias email function and turn off log-in for the aliases. Even if they then have this data it's not very useful to them if they can't use it to log into your email or any valuable accounts not linked to that email. Neopets has proven over and over that they're not trustworthy enough to not take these precautions. Freezing/deactivating your account won't help because they don't seem to actually delete your account or data outside of a purge.
gotta love when neopets has more security against botting for fake virtual game trophies than security against.. oh i don't know.. ip addresses, passwords, and emails ?!
Thanks for the update you guys. Haven't been active on Neo lately and would have never seen this news without you guys.
I am sure it's totally coincidental that the list is being offered for Bitcoins.
July 20, 2022 7:07 PM NST
Well, that sucks. I guess that explains the lag as well.
^Its because cryptocurrencies are often used for crimes and money laundering. Another reason why we need #NoNeoNFTs
This is just devastating. Thank you for keeping us posted.
Yup, bitcoin is *the* ransomware currency, it's not entirely untrackable or private but is often good enough for singular lump sum transactions like these. I don't really see the connection between that and NFTs however, but I will +1 to heck NFTs, honestly I'm still hopeful they're not actually going to happen. NFT interest is actually drastically declining thank god.
Gee, those security checks that mess up stock purchases, Food Club bets, and inventory management aren't helping much, are they?
Contrary to what the text says on them it has more to do with preventing botting and DDoSing. It does work decently at the botting thing and has prevented some autobuyers, and works well for DDoS problems. I don't know why they write that it's for security.
It's just an absolute JOKE that they're trying to create a metaverse version of the site, have failed to fully convert the site from Flash, and are just continuing to leave the site live with serious and severe data breaches like this. I hate to say it but this might push me to delete my account - if they can't do better I can't have my data threatened like this, even if my neo account has nothing tied to any of my other accounts.
July 20, 2022 7:46 PM NST
Oh joy, fortunately I don’t reuse passwords so I’m fine.
Lordy... glad I just happened to come across the FB post. Spent the rest of my evening changing up any PWs close to my Neo ones, and just going to wait to change my Neo ones until the all-clear happens.
So annoying that this happened AGAIN.
July 20, 2022 8:29 PM NST
Yeah I'm not sure they protected stuff well enough yet for it to be safe to change our passwords...what to do.
I'm glad I did redo them all some other time to be very different to any I use anywhere else.
July 20, 2022 8:45 PM NST
Thank you Jellyneo for this very important update <3
I hate to say it but this might push me to delete my account - if they can't do better I can't have my data threatened like this, even if my neo account has nothing tied to any of my other accounts.
Unfortunately deleting an account likely doesn't mean your data is removed from the database.
A stance I like to take is that its not a matter of if your info will be stolen, it's when. Just make secure passwords, follow good security practices like not opening sketchy emails, and you should have little to worry about.
July 20, 2022 8:48 PM NST
*sighs and spends all day creating unique passwords for every single email, game, and social media account except neopets*
July 20, 2022 11:01 PM NST
Unfortunately deleting an account likely doesn't mean your data is removed from the database.
Isn't that, like, *illegal* in the EU now or something? Unfortunately I haven't been keeping up to date abt the relevant laws, but I wonder.
Honestly wondering if this could be the nail in the coffin for Neo, especially if they don't actually address the issues more than a cover-your-butt "acknowledgement".
July 20, 2022 11:03 PM NST
Also finding myself wondering if JS will find it worth the effort to patch it, or throw in the towel and pull the plug completely since they seem to be meandering toward the slow death of the site anyway.
Thank you so much for alerting us to this, Jellyneo!
I had an issue creating a new password because it kept denying me and claiming that my password needed at least 2 numbers--which it had.
If anyone else encounters this, I think it's looking for the numbers only in the first 20 characters. Any numbers after that don't seem to count for the requirement, and it won't let you generate a new password.
I could be mistaken and just encountered a weird glitch, but I figured I'd share my solution in case it happens to anyone else.
tl;dr you probably need 2 numbers in the first 20 characters for it to let you make your new password
Great, I changed my passwords on my accounts and now I can't access any of them with either the new or the old passwords, nor is Neo sending me password reset emails.
This site. I'm so fed up I have nothing left to give Neo. I feel so completely done with it all...
July 20, 2022 11:38 PM NST
This is pretty sad
@digresser - Finally got my reset email and your tip worked. Thanks.
It still doesn't solve my overall disillusionment with Neo, but at least I can access my pixels.
Flipping change your website to HTTPS already! It seemed to be like that a few weeks ago. When I logged in, it didn't show the usual "This website is not secure" stuff.
Thank you for letting me know that worked.
What a terrible--yet not unexpected--design flaw.
July 21, 2022 2:16 AM NST
So glad I don't spend RL money on sites like this. I mostly live on Subeta these days. I hope the same doesn't happen there, too.
The password stuff gets worse.
Your actual password is only the first 20 characters; everything after that doesn't matter.
If your password is longer than 20 characters you can delete or change anything after the 20th character, and the site will still accept it as correct.
Max character for PWs is 16.
Some point you could actually have longer set but it would complain about it when logging in and that's when support told "your PW seems to be too long, max chacters is 16"
That's odd. The sign-up page says 20 characters.
It won't take just 16 characters for a 20-character password, I just checked. 20 seems to be the max.
Maybe they changed it since you spoke to them or perhaps they gave you the wrong information?
Changed PW and now neither old nor new PW works. PW reset code never showed up in my inbox, but the automated Help Ticket acknowledgment did. In the old days when TNT had staff, response was pretty prompt. I wonder if I'll get a human response in this current precious human life?
@galifan did you see how mavegibson was able to fix their issue?
@galifan: Oh yes, human contact. I remember those good old days. When you had to take to Facebook to ask them to finally look at your ticket.
I miss those days..
I just changed one of my sides. Generated a password thru LastPass. didn't specify any criteria. It generated a 12 digit pw which was accepted & I got the message my pw had been changed and now I can't get in that account. I went to a different side and generated a new pw but said make it 16 characters and I can now log into that account with the new pw. So......
I ran across this article last night.
Just a heads up and suggestion for those in the US who still want to purchase NC --- walmart.com sells $10 NC cards on their website. Virtual card, sent to email, redeemable on Neo. I haven't bought NC in a while but those cards were always my go to since I never trusted TNT/Neo with my personal financial info anyways.
Stopped buying NC in protest a while back
but in the mall, if you even dare go on neo, there is a free birthday cake, apropos as it is,
This is utterly ridiculous.
It's a good thing I didn't trust Neopets before, so all my PWs were unique and registered under an e-mail I never used for anything else.
Also a good thing I only bought NC with gift cards (that's before the NFT fiasco
July 21, 2022 11:22 AM NST
@digressor -- thanks, I saw before I posted. Since TNT aren't sending me reset codes, I can't start the process again.
July 21, 2022 11:46 AM NST
And I'm in! With the birthday cake for an incentive, I finally got a reset message in my inbox, what a relief! Took me many tries to find a PW the system would accept, it kept telling me there was something wrong with the random ones I generated -- which wasn't true, but the system seems to be looking for something that isn't on their little checklist. At least I got the cake.
July 21, 2022 12:04 PM NST
Ugh...Decided to back up my most important and recently updated pages, just in case. :/ I'm realizing I actually like Flight Rising more anyway, but eh...I still enjoy seeing my friends on Neo too, and my creative guild. I did inform a friend who left Neo about the incident though, just in case.
Oh, I'll have to keep that in mind! I miss physical NC cards, tbh. They were my parents' go-to gifts for me when they were a thing. Do the virtual ones still give items? I know simply buying NC onsite doesn't.
For passwords, the system doesn’t accept a lot of special symbols. Notably @, # and &. Probably others too. Best to stick to numbers and letters (even though less secure).
TNT posted the word 'password'- a clear violation. Their account should be banned.
@dusk, yeah. It was refreshing to see Flight Rising devs being proactive in alerting players to the implications of this situation.
I found out about this situation throught Flight Rising
I don't care much about Neopets anymore, this was just icing on a very large cake of reasons to abandon the site for good
I access JN much more than I access Neopets nowadays lol
My advice for anyone wanting to change their password:
First, collect everything you can about your account before you try to change the password, because if you end up being unable to get back in you'll want to be able to prove it's your account.
Especially make sure you know which email address is associated with your account and make sure you have access to that email account.
The password form is a ridiculous trainwreck and doesn't actually have a proper clue about what's happening in the password field. Several times I had a password that, for example, had two numbers (even as the first characters in the password) and the form still thought I didn't yet have two numbers. Just keep mucking around with the password until the form options all go green (I created the password in a text file and kept copy/pasting it into the form field as I tweaked it).
If you change your password and you can't get back into your account and aren't being sent reset codes, just keep trying. Eventually it will work.
Hope this helps.
@ dusk - the online NC cards from Walmart do not have codes for extra prizes like the tangible ones did.
I was able to generate passwords with those symbols.
I did have an issue testing the ampersand "&" but I think I just had a typo because I was eventually able to create a password with it and use it to change things.
Why haven't they shut the site down?
Why haven't they shut the site down?
It would do absolutely nothing. Just because the site is offline doesn't necessarily mean the databases, internal servers, backend, etc become offline and are all safe. Plus copies have likely been made of the source code and sensitive info by the hacker, so even if they lost access the damage has been done.
Is anyone else getting a "Database failure" error when trying to your email address on Neo? I've been trying to change my emails on Neo to different ones but this is making it almost impossible.
Thus far, I've only managed to change the email for my main account successfully. All my side accounts have been getting the "database failure" error when I try to change them.
I've only recently come back to Neo, but I cannot believe that they haven't at least updated us on the situation today. I know SDCC is happening, but I thought maybe something...
"We are also engaging law enforcement and enhancing the protection for our systems and our user data."
All I wonder is: HTTPS when? I believe I send a ticket in regarding this subject... five years ago? Longer? I think around the time the log-in screen started showing that the website was not secure. Is it really that difficult to follow suit to many, MANY other websites that have already been converted to HTTPS?
(Back then I got a response that they did not have the resources at the time to make that change or something like that. Don't pin or quote me on this though.)
They have converted to HTTPS, but it's patchy (like the beta layout) and we can't post those links on the boards without removing the S.
Another half-botched job, sadly.
For what its worth, I never saw the announcement when I went in today to do my dailies.
@reckless: Oh, I did not know that. The log-in page isn't HTTPS though, is it? Otherwise my whole point was moot...
*oops, missed an e! I meant @recklesse, naturally
I now hail from countries with cool names
@apophis324, it's really confusing (for me at least).
You can 'force' the https link by using https://www.neopets.com/login/index.phtml and it seems to hold. But links from search engines etc. always seem to go to the http page (with no 's'). You can do the same with most other pages too. Or just add the 's' and refresh the page. Seems to work a lot of the time.
I don't know enough about security certificates to know what's going on with that. I just know it's really annoying that we still can't post those links with the 's' on the Neoboards, even though TNT has said it's fixed (twice now).
Also I don't know if it works the same on all browsers/devices.
Dang...I wish I could be shocked about this breach happening, but I'm not, honestly. :/
I've been on Neo for nearly 14 years and I think the last time I truly enjoyed it was...when the obelisk event first appeared? At this point, the only reason I even stay is because of nostalgia. All I want now, really, is for TNT to just secure the site.
(Now I'm super glad one of my Neofriends introduced me to Flight Rising years ago...)
@recklesse: Hmm, that seems to work.. but is it really secure then? It feels weird.. But I'll keep using that from now on, if I remember. Yay for more "security"!
I wonder what is more secure, a full site running on https.. or that stupid security screen that keeps popping up, killing all data being sent...
@apophis324: Neopets.com (and various subdomains) have had HTTPS available since early 2021 I want to say. The rollout to the various subdomains was gradual.
However, connections over HTTPS are not enforced by the Neopets servers, so you can still use HTTP if you want.
To login securely, just change the URL to have an HTTPS in it as recklesse said! (Or get one of those "HTTPS Everywhere" browser add-ons to automatically do it for you.)
That being said, a lack of enforced HTTPS is unlikely to have anything to do with this hack unless the hacker was specifically snooping on the internal Jumpstart network. (And I doubt that.)
How many times are we going to have to change our passwords? Because the system for doing so is buggy and frustrating, and I've already lost all access to two of my side accounts because of this.
I've never been closer to just walking away from Neopets. I have no confidence whatsoever in this team, and it's starting to feel like time to just move on.
Should I change my password and pin now, or do I still wait?
July 22, 2022 2:45 PM NST
Riiiight, TNT.. take your time on fixing this security breach.. just like you take your time on fixing the general site.
Anyone else having trouble logging in? It's not letting me log in.
@swampertgirl yes indeed, lots of trouble. You can try asking for a PW reset, read upwards as @mavegibson has given some good advice about changing PW. I hope your experience is just temporary.
@galifan; Yes, I did ask for my PW to be reset multiple times and managed to finally get on. I'm frustrated to say the least.
@swampertgirl, I'm glad you got in! I hope all's well with your account. This might be a good time to take screenies and clips of your account.
July 22, 2022 6:11 PM NST
First of all, thank you very much JN for informing us and keeping us updated!
I almost can't believe a site as big as Neo is so abysmal at managing security. Key word is almost.
I use different passwords for every account and service, but I'm still worried. Haven't changed my info yet because I'm not sure it's patched, wish they were more clear in their communications. I'll do that now though, can't hurt.
There's something I haven't seen mentioned or I might have missed it : in the bleeping computer article linked above by @much_too_young it says the initial email we used when signing up is also compromised, not only the one we currently have linked to our accounts, so keep that in mind.
I don't think Neo has any way to know the PWs to the email accounts we use, unless we insist on using the same PW for everything. It would be *VERY* interesting to learn otherwise.
Just a couple tips to add for those who are trying to get their passwords reset:
- _Don't_use_the old_account_page_password_form_ to change your password. It won't give you the correct feedback about what is required to make your password work. If you use that old page, you will likely end up like many of us whose passwords didn't work. Instead, log out first, then use 'forgot my password' to reset and select a new password.
- If you use an ad blocker, disable it before trying to reset your password. I found that part of the tech for processing that was blocked by my ad blocker, which was part of why I was having issues.
- Don't forget to change your PIN when you change your password.
July 22, 2022 10:05 PM NST
Hello! Im very confused, i've read a few of you guys have change your password but the post recommends not to? What should I do?
Too late. Changed PW. Says both old and new are wrong. Can't do anything. They need to give that an update too.
Ad blockers.. block the process.. of resetting a password?
I'm no techie, I simply cannot wrap my head around how that makes sense in any way...
The fact that it is possible to lock yourself out of your account by using the internal password change form just says all you need to know about the state of this site.
honestly TNT this is sad, taking days to get this fixed
July 23, 2022 8:55 AM NST
Neo_truths doing the lord's work by asking the seller if the source code includes user Pins
@apophis324 It could be a script used in the process that's getting blocked, I don't know. Temporarily disabling ublock fixed it.
@mogster The same thing happened to me. All you need to do is use the 'forgot password' feature to reset your password. Just a warning that it can take multiple tries to get that 'forgot password' form to send you the reset email.
@housie re: "Neo_truths doing the lord's work by asking the seller if the source code includes user Pins"
the 'lord's' work might be something more like 'don't do this'
and, really, REALLY, expecting honest answers, and even real interactions from them?!! Um, NO.
July 23, 2022 5:53 PM NST
@roshchodesh I understand your stance, but let's not forget that TNT is understaffed (therefore can hardly know the extent of the data breach) and of course, their tendency to not inform issues and keep us in the dark
I was trying to change my email since I changed ISP I don't have that email now.
@housie - I wasn't talking about TNT
@mavegibson good advice on the password changes, my roommates and I had already changed our passwords to temporary ones using the form and we're still able to get in ok, but once this gets resolved (it's the weekend so nobody is probably in the office
, we will be using your advice to change the passwords again. wanna bet it's going to take a month or two for them to get it resolved.....
They'd tell us if they fixed the problem, right? Like, the fact that they still haven't said anything indicates it's not fixed, right?
July 24, 2022 3:06 PM NST
I don’t think it’s really worth it right now to change passwords, they’ll just steal the updated passwords. I think at the moment what would help most is being really really quiet, remember they’re going to target accounts that have the most visible goodies, things like UCs and expensive items. But you can’t steal what you can’t see so make your least expensive pets active and try to reduce or eliminate anything that shows you have stuff worth stealing. I’m staying off the neoboards.
^No one is going to target specific accounts or care about a person's UCs. It's all about trying to use the data to get into accounts that really matter, such as bank accounts.
I wouldn't worry about it while playing Neopets. Your Neopets are safe.
@dragonperrisgirl From what I've gleaned, the main staff are off-duty on the weekends usually, so I don't know how much actual progress has gotten done in addition to the statement. Earliest we might expect to hear from TNT about the situation is tomorrow afternoon.
Somehow, 69M accounts have been breached and TGIF seem outrageously juxtaposed.
Well, I just spent some time reviewing and improving the security of my email account. There had been quite a flurry of people trying to sign in from US/China/Vietnam etc. over the last 2 or 3 months. Luckily all attempts had been successfully blocked by my email provider.
Since most of these attempts were made before this hacker put his dirty wares up for sale, either somebody else got there first and sold them a while back (very possible) or there's just been a coincidental upsurge in general hacking attempts (also possible).
I know we've been assuming nobody is interested in our actual neopets accounts, but surely those offsite markets that sell accounts, nps, high value items and UC pets for real money might have some interest in that (though I always wonder who's daft enough to buy from them).
I pulled a dumb and updated my password with a password generator and thought I'd saved it but didn't and am now doing the whole "what was the email you used to create your account?" rigamarole and it'd be really nice if they could come up with something else other than an email address that a) was my dad's! and b) is nearly 20 years old!
Fortunately, I am in the habit of changing all my pw's every few months or so but I have now updated my emails associated with anything to do with Neopets.
July 25, 2022 11:00 AM NST
@roshchodesh Right? TNT put a post up on the bird app of them selling merch at comic-con and not a peep around of the situation on the actual site, which makes one question their priorities...
Corporate compartmentalization. The Comic-con team are the cheerleaders, not the ones who clean up the dung. The security team run true to spook type, "Never Say Anything".
July 25, 2022 6:46 PM NST
JellyNeo Team - Thank you for continuing to make updates and keep the info about the hack at the top of the home page.
I wonder if it's worth playing at some points this is definitely one of them
So who's taking odds on their next move? I'll lay 10k and the plushie of your choice that this is the last we hear through official channels.
@galifan I'm not sure there is any security team working for Neopets, other than the new contractors they hired this time.
@thecrazyoo Call me jaded, but I'm dubious they even hired a security "forensics team".
Horatio Caine would have fixed this, jailed the bad guys, and put his sunglasses back on, like days and days ago
JS is no protector.
this happened to animal jam, and Wild Works got the breach fixed within a day
They probably got Sid from MrComputer round the corner to come and take a look. He said he's stumped, there's nothing he can do. And that's it.
Also 'engaging law enforcement' probably means they filed a report with the local police.
'engaging law enforcement' might mean they saw some officers at ComicCon and waved at them
July 26, 2022 12:34 PM NST
Man we are one week in and still nothing. We really are just expected to pretend nothing is wrong, huh.
July 26, 2022 2:10 PM NST
LOL by forensics team, they probably mean meepits
Don't worry guys, I've got a ticket for the big lotto drawing tonight, when I win, I'm going to buy out Neo and the era of meepit mistakes will end.
What an absolute mess, this site is beyond trash and the leadership is incredibly incompetent. Thank you JN for providing us with valuable info that probably has saved lives honestly from hackers and scammers.
This could have serious consequences and they don't even care.
Coming here from reddit because I *just* learned this happened today. Ridiculous. I've been using Bitwarden for a while, so my passwords are both incredibly long and unique, but I'm beyond annoyed this is still an ongoing thing. Six days and counting, seriously?! We're supposed to just sit here and wait for something bad to happen because changing our passwords right now is STILL pointless and wouldn't do anything anyways?
still no news and they advertise the mystery capsules. If you're going to advertise your products to us at least let us know if you've fixed the security issue that would put me at great risk to purchase said product you are advertising to me.
July 27, 2022 10:24 AM NST
A forensics team would be like 'why tf are these passwords plaintext lmao'.
I also am coming here from reddit as there is a stickied post about not visiting neopets during this time and i only came to that realization because i wanted to post after getting good luck on a daily, but the mods here were saying there's no concern to visit and play on neopets so i just wanted to know what you guys thinkg
If you're looking for a guarantee that all you have to do is change your PW once, you won't get it here. But if you've updated your PW, you might as well play as usual, and if you haven't already done so, gather information you might need to prove you're the account owner, JIC.
"gather information you might need to prove you're the account owner"
what information would you recommend gathering?
*sigh* I just went and had a look at that stickied reddit thread, and I feel like it makes a fair point. I'd love to hear what the JN folks think of the point it makes about malicious code injection and the dangers inherent in being on the site.
The thing is that quite a few of the comments on that stickied thread are talking about how the OP might be fear mongering if you arent going around and downloading everything on the site, so i would also like the opinions of JN folks on both the point made in the post and the counterpoints brought up by a select few people
Regarding the "don't visit Neopets.com" convo, that reddit thread is correct in that there is *some* risk. We don't believe that the hackers have the ability to modify code on production Neopets.com servers (i.e. make a change to inventory.phtml and push it live)
However, we've been told that Neopets.com includes a few places where code is stored in a database and then ran on production servers.
Since the hacker has live database access, in theory they could push code to the database which is then run by your browser.
However, I personally believe the risk of that is low enough to *not* have JN recommend staying away from Neopets.com.
If that changes, we'll have some red flashing lights on our homepage!!
In the meantime, I think it's safe enough to visit Neopets.com and go about your day.
As long as you have your browser set to autoupdate (for the latest security) and you are *not* running Flash (in a native format! running it via PaleMoon or Ruffle should be fine) you should be relatively safe.
Fortunately for us, JN is on top of this mess & is keeping us informed in real time. Thank you sincerely!
@wordfreq667 good one
@berriganafy - The info is on the account recovery form on this page: https://www.jellyneo.net/?go=frozen_accounts#filing_a_ticket
@wordfreq667: Hmm, I don't know.. I think I'm going to hack JellyNeo to get live database access to see if they're keeping anything from us
(No, of course not. My hacking skills end by typing the word "hack" and even if I had such skills, I wouldn't be using them on JN!)
Is it safe to change the password now? Id like to be safe with my account, but I worry it might only cause issues if I do change it already.
this is sad how long this is taking
Let's hope it doesn't take as long as.. *shudders* The Wraith Resurgence...
JS is arrogant, insolent, and unprincipled for their prolonged silence. Such blatant disrespect for us; I am astounded.
It's not dangerous to change your password, so just go ahead and do it. It's just that if the breach hasn't been fixed yet, then they might just get your new one as well. Still, it doesn't hurt to change it just in case it has been fixed. I've already changed all my Neo passwords a couple of times, and intend to do it again once JN announces it has been fixed.
yikes, yikes, yikes, yikes!
Still no updates. This is a disgrace. As if the metaverse nonsense wasn't bad enough. Started playing in 2001, but now... Yeah, I'm officially done with neopets.
Thank you, JellyNeo for always keeping us informed, even if there are not updates from TNT. I really appreciate Dave's note saying there isn't a concern about visiting Neopets.com, and we can still play as we normally have. I had been wondering about this and was logging on sparingly. But if it's "safe" to play normally, I'll continue to do that. Thank you to all the JN staff!! I really appreciate you! - Liz
JS/TNT - SAY SOMETHING. ANYTHING. EVEN THAT YOU'RE STILL WORKING ON IT. EVEN TO SAY YOU'RE NOT.
For goodness' sake, ignoring 69M members but conducting business as usual with dyeworks and cheery newsletters is absurd.
Let's just all accept the fact that this happened and that JS doesn't care about either fixing the problem or informing us it has been fixed.
Good. Now that we have accepted that, we can all carry on with our lives, pretending nothing ever happened. La la laa. Carefree times.
If TNT sent us all Neomail guaranteeing that the site is now using 21st century code and is hacker-proof, would any of us believe it?
@galifan: Of course! Would TNT lie to us? Aside from claiming to be working on all the things requested in the editorial, without actually delivering on any of it of course.
the lazy "I don't give a *redirected* attitude really me not want to buy anything from them
Can we have an update on this post sayong that there are still no updates.
Thinking about it, why hasn't TNT emailed everyone about the breach? With nearly 70M accounts worth of emails, you'd think that'd be the first choice, instead of tweeting it out to only 30K followers?
August 1, 2022 1:52 PM NST
Evidently, TNT doesn't give a rat's behind.
there is an update, now when you try to login it says:
"August 2022 Update: Neopets is becoming a safer place! All Neopians are required to rest their password to help keep their accounts secure.
Enter your username and we'll email you a link to reset your password."
but... if the hacker still has live access it's doesn't help?
August 1, 2022 2:05 PM NST
I can't log in into one of my sides.
August 1, 2022 2:06 PM NST
It won't even send an email to me to reset if I try. Guess no more neo for me
August 1, 2022 2:08 PM NST
From their FB:
We wanted to take a moment to provide you with an update since our update on July 20th.
As we previously communicated, Neopets was alerted on July 20th to activity indicating unauthorized access by a third party to portions of our IT systems. Upon investigation, we took immediate steps to shut down further access to the affected systems and we have not seen any unauthorized activity since that time.
We reported the event to law enforcement, and began working with external cybersecurity experts to investigate the event and determine what happened and what data was impacted. As a matter of course, we do not collect or store payment information and do not have evidence that it was impacted. Once the investigation has concluded, we will share additional information, as appropriate.
Our team is working around the clock, deploying additional safeguards onto our systems, including enhancing monitoring of our systems, reinforcing our security practices, and actively reviewing systems to enhance security controls and all security protocols. As a reminder, neither Neopets or its employees will ever ask for your login information. As a precaution, we are taking steps to protect users’ accounts, so when you next visit Neopets, you will be prompted to change your password. We are also currently working on adding multi-factor authentication to better safeguard your account access.
We appreciate your understanding and patience during this event and are committed to supporting the Neopets community. We invite you to reach out to us through our normal support channels with any questions or concerns you might have regarding this incident or the security of your account."
August 1, 2022 2:15 PM NST
Oops! The username entered was not the same one used to submit this password reset request. Please try again.
I keep getting this error over and over.
Welp, I wanted a reason to hiatus. Neo just gave it to me.
August 1, 2022 2:18 PM NST
It took a few tries, but I got the email to reset my password and was able to reset it.
Um, it's saying my username isn't valid, the heck?
Nevermind, for some reason usernames are case sensitive. It wouldn't take "Pikachu315111" but instead had to be "pikachu315111". WHY?!
I've sent multiple password resets and I'm not getting the email.
And I know my email's not wrong, I just tested with the username one and it sent to the correct email.
August 1, 2022 2:29 PM NST
I managed to get my password reset with my main, but the system is pretty laggy right now. I might wait to fix my sides until things quiet down a bit.
Tbh, I'm glad they want us to reset our passwords but uh, if the email tied to your neo account is one you can't use anymore, then you Might be up a creek tbh. Or at least that's kinda what I'm feeling rn
August 1, 2022 2:32 PM NST
I reset my main, then it forced me to reset one side and that's not really working. Now it doesn't like my new main pw either >=( This is a work of genius all the way through.
Took me 6 attempts to be able to get a PW reset email. Within 10 mins of being on the site it logged my main out AGAIN. May just hide on a side account until this blows over....
AND now it's saying my new password is invalid. *facepalm*
Got logged out, reset password, logged in, logged back out again, password not working again. Sigh.
I just went through that whole process of reseting my password, ended it successfully, and now it's saying that my password is invalid again. -_-
I'm gonna check back in later.
"neopets is becoming a safer place"
ah yes what an incredible joy it is to be locked out of my account because staff changed my email when I was a kid to a stupid invalid jumble to "help me get back in" once
"required to rest their password"
You'd think with how much time they took to address this, they'd have proofread that
Oh, this is rich. Two of my sides, the email I signed up with 13 years ago, is defunct. Netscape.net no longer exists.
This will be a hoot, trying to get in that loooooooooong line of people contacting neopets customer support.
I left out all of the expletives that would have proliferated this post had I not allowed wisdom to prevail.
Now I'm wondering if, despite making a new password, the system has once again deleted the new password upon logging me out thinking I didn't already.
Also having trouble receiving the password link. I've had trouble receiving the automated emails in the past. Guess I'll be putting in a ticket. Sigh.
August 1, 2022 3:20 PM NST
Ughh, it took so many tries for it to even send the reset email. After changing it, I also got the "not the same username" thing, then realized that it's because for some weird reason, after the system straight out ignored my first entering of the new pw in the reset form and the form reappeared, it automatically capitalized my username. So, their system did it, then told me "not the same name!!!" *very long sigh*
I'm guessing that I have to use each side for a while to set the form in those too? I tried using the link to the page I got on my main but it says page not found.
Link for password reset please ?
What exactly are the rules for new passwords ?
August 1, 2022 3:22 PM NST
For those not receiving the email, the reset page MUST load a second page telling you the email was sent. For a while, I thought just clicking the button did it, cause the page wasn't doing anything else.
This post is no longer pinned to the front page, guessing JN is making a new post about the forced logout/password change.
Just curious, is anyone having the same problem as me? Created a new password, was able to log in, but then logged out a few minutes later and told the new password isn't correct?
August 1, 2022 3:28 PM NST
Yes pikachu315111, quite a few times! Aggravating.
Thanks for confirming!
Going to wait a bit before doing anything (aside trying to log back in occasionally), I don't want to do another password reset for this problem to then happen yet again.
New Post here:
@pikachu315111 - That exact same thing happened to me.
Want to add your thoughts? You just need to log into your jnAccount!
Register a jnAccount