Neopets security breach

[kiiraa]

(...) I would be surprised if even 1,000,000 million new entires are genuine since 2016. Most of it is duplicated or the same players over and over again. (...) So what are you paying for? $100k/4 BTC for maybe 100,000 genuine, non-duplicated, accessible identities at best. Most of those will be people who have been alerted about this and changed/secured their info. Maybe I am stupid, but I really doubt that a neopets username, email, password, IP and birthday is enough to compromise someone's identity in a way that would meaningfully make you enough money to justify spending 4 BTC. (...).

Well, the older DB didnt have all players which join in +2013. I saw and didnt find my old account. So, maybe this time they have a more complete DB from the players than before, thats why you see the increase of the number of accounts. And about spending money, I think in this world there are people with a LOT of money and nothing to spend. So if you make 50k per month, why not spending 100k for fun? I guess if the hacker can secure it's a live DB access and sell to just one person, it'll sell very quickle. But can one person access all acount and steal all pets and nps? Probably no.

The person with money to buy wont be using the DB to steal real money from people, they would probably using the info for fun. Like, why would you risk going to jail if you can go YOLO on neopets? Specially if you have 25k-100k to spend.

I think the bigger problem is if they release the DB to the public and your account is there lol

[Shawn]

Andrew is right, the real (monetary) value does not lie in Neopets itself, but rather the information that comes with the db.

If you're talking about recovering your BTC's worth by selling Neo stuff, for 4 BTC, you're honestly not going to breakeven. For 1 BTC you could. And that's assuming the live db write access is not patched.

[I_royalty_I]

Andrew is right, the real (monetary) value does not lie in Neopets itself, but rather the information that comes with the db.

If you're talking about recovering your BTC's worth by selling Neo stuff, for 4 BTC, you're honestly not going to breakeven. For 1 BTC you could. And that's assuming the live db write access is not patched.

trust me - I’ve played this thing out 1000 times. I could buy this entire exploit almost 6 times over:.. but I don’t see the value at this point in time. You’d have to find some intrinsic value if you are to make this kind of purchase. But you’d also have to consider the costs of accessing a database with an unreliable proxy and being on the hook once law enforcement comes knocking. That’s not worth the risk. I can say I’d be tempted… just, literally, for my own entertainment.
i bought so many of those lists from Joe, years ago, but I did it for fun and the thrill of finding some cool shit. I DID find ONE account that made it all worth it. But the odds of that again are slim to none. I see this going unsold, at least the full access, because it’s not worth it. Maybe 5-10 years ago - hell yeah. Gen NPs and items - so worth it. Now, no, not at all.

[Synth Salazzle]

I honestly would just keep the bitcoins, nothing's worth getting wrapped up in that shit, they already said they're getting law enforcement involved, getting your hands dirty now is just straight up stupid and reckless.

[Shawn]

4 BTC for the DB + access??

91,152 USD is a hefty chunk of change for most people.
Paying 88,392 USD for this without being able to guarantee that the live access won't get patched, while having alerted Jumpstart to the presence of the exploit is too much risk to undertake for a buyer.
Sure, I could see this sell for 20 to 35k USD, but expecting 102,316 USD for this is too much

Please log in to view spoilers.

[Rhymes with Witch]

After reading this entire thread, honestly ... do we even have any proof this is real? 69 million users... incredibly public about selling... asking 4BTC for something that worth 1BTC... it seems like an overblown practical joke or worse.

[Jackalope]

After reading this entire thread, honestly ... do we even have any proof this is real? 69 million users... incredibly public about selling... asking 4BTC for something that worth 1BTC... it seems like an overblown practical joke or worse.

I think someone created an account in game and asked the seller to tell them what the internal info on the account was and the seller was able to tell them, implying that they do in fact have live access. I think someone else mentioned that the person who vouched for the validity was important to the site in some way? I honestly don't know much about that kind of thing but I remember seeing a screenshot to that effect.

- - - Updated - - -

That said the seller truly having the access to this swiss cheese ass site and a buyer actually being willing to risk it all for neopets dot com are two very different things.

[birdies]

Jeezy creezy criminy christmas.

I swear every time I take a break some nonsense goes down. I've just read 30 hecking pages.

I do have a question though - I work for a company who run a 20+ year old website which has user accounts and message boards etc. Thing of the most ancient creaky form of ancient social media.

Updating it to 2020+ has been a challenge, especially trying to make it work for an app, but stuff like - adding OTP at logins, adding 2FA for members who want it... that's not hard.

Our dev team is three people and our site has never been hacked - the biggest problem with hackers we have comes through people's emails getting compromised. We don't need to use nonsense like stackpath to disrupt user experience.

There are a LOT of creaky bits and a lot of the site is held together by string, but account security is the biggest priority.

So why *haven't* TNT enabled 2FA? It seems like it would be the easiest way to help secure accounts at least from casual users with access to any previous data breach, and it's not hard to do. So it's just money?

You'd think they'd save money by not having to bring in lawyers and forensic teams when this happens, but hey.

Also, considering Neo_Truths contacted them ages ago to say he had DB access, and that site that was unconverting pets also had DB access, have neo not broken a few laws by not clearly informing us their DB wasn't secure before now?

Honestly, I'll change a few emails and passwords but mainly I'm going to screenshot a bunch of stuff on my accounts because I feel like this dude won't be able to sell and may just put the database up somewhere as pay to access.

[Kibba]

I honestly don't know how TNT handles the information and security of all of its users... Like, Is it that hard to have an
online security system? How are they facing another attack over and over like it's something that hasn't happened before?

I'm starting to think the ''Breaches'' are always made by someone at TNT in order to bring the site back at everyones mouths 🙄

[DarkSkies]

There haven't been an update from TNT about this? I honestly wouldn't mind if they shutdown the site for some days, like take your time but please enhance the security.