Neopets faces class-action lawsuit over huge data breach

A former Neopets user is suing Neopets owner JumpStart Games over a data breach last year that compromised information for 69 million Neopets accounts. It’s a proposed class-action lawsuit filed earlier in January in federal court for California’s Central District.

News of the breach spread in July 2022 after the alleged hacker posted on a forum that they were looking to sell the Neopets database and source code, as well as live access to the game’s backend system. The hacked information included names, email addresses, passwords, and other personal information of Neopets account holders. Financial data, such as their credit card numbers, were not impacted. In August 2022, Neopets CEO Jim Czulewicz provided an update about what happened, confirming that the hacker had access to the system for an extended period.

The hacker was looking to sell the data for 4 bitcoin, or around $100,000 at the time.

Lawyers for the plaintiff, Biankha Negrin, say she was not aware of the data breach until late August — nor was she even aware that Neopets, which was popular decades ago, still had her information. Indeed, plenty of former Neopets players were in this position, as the site has a fraction the users it had at the height of its popularity. Polygon has reached out to Neopets owner JumpStart for comment.

Neopets is the virtual, create-a-pet website that was immensely popular in the early 2000s. JumpStart Games acquired the site in 2014; JumpStart Games is now owned by NetDragon.

Former Neopets players, of which there were plenty, remember the site fondly, but current players have a complicated relationship with the site. Players have been frustrated with leadership decisions for years as the site decayed.

The biggest hit came when Adobe ended support for Flash in 2020, which Neopets heavily relied on; that knocked lots of features offline and stayed broken for a long time, and a number of features still do not work properly. The site has since transitioned to HTML-5, and is definitely better than before, but security is still a major flaw, as evidenced by the data breach.

To mitigate the damage of the hack, Neopets forced all players to change their passwords, which inadvertently locked a large swath of players out of their accounts for good. The company is also working to implement two-factor authentication, and it’s also encouraging players to change their passwords and monitor sensitive accounts.

Negrin’s lawyers argue that the company was negligent with its approach to security, despite “repeated warnings and alerts.” They say there is “no limit” to the damage that can be done when sensitive data is accessed. Though Neopets itself is a small site, it’s owned by NetDragon — “a sophisticated organized with the resources to deploy robust cybersecurity protocols.” NetDragon reported more than $147 million in profits from the games division alone, as of August 2022’s yearly financial results.

Negrin is looking for the court to deem the lawsuit a class action to include others impacted by the data breach. Damages would be determined at a later time. Negrin is also looking for the court to order JumpStart, via Neopets, to make substantial security changes to protect user information.