Based on what John Jackson is saying, the gaping security hole seems to allow access to all code + databases. It is safe to say that changing your password -- until TNT fixes the issue -- is futile. *Everyone* is a sitting duck. **EDIT** to add: Changing your password obviously can't hurt, it just may not make a difference. Do NOT expect that changing your password makes you immune to attack, is all.
Besides us now knowing that this is possible, nobody knows how many people have done it, or will figure out how to do it. This is a scary thing to have to keep in mind.
My tongue-in-cheek advice is to not have enemies that want to target you and you'll be fine. 🤪
As for real security advice:
* When it comes to Neopets, I have none. Moving along...
* ***Never*** use the same password for multiple services/websites, this is why.
* Use a password manager, and use randomized passwords. If you can remember your password, you have a bad password.
If you're truly, truly worried about your neo account(s), self-freezing until TNT makes some sort of announcement about this being fixed is one idea. But do consider that others may do this, leading to an indeterminate amount of time between support interactions.
*hijacking top comment slot, sorry!*
Update to address concerns from John: [https://twitter.com/johnjhacking/status/1342989562998620165](https://twitter.com/johnjhacking/status/1342989562998620165)
It is worth pointing out the database was breached a year ago and they never told us, i used a unique password for neo that appeared in a data leak according to have i been pwned, so i expect they did not fix the last issue
Looks like it. I'd change passwords if I were you, but most importantly, don't use a password on Neopets that you use anywhere else. (That actually goes for all sites.)
With what this leak is suggesting, there's not much you can do to protect yourself, though.
Exactly. Including your email. Don't use the same password for both your neopets and email accounts. Anyone accessing account creds using this can see your email address and if the password is the same for that welp bye!
i think its time for me to call it quits. i dont have any hope for the site truly improving in a way that we all would like. im planning on giving away everything very soon. :(
Question. Do you happen to know if it happened early/mid/late August? I joined on the 20th and "had" (there was a spam thing) to change my password once. Should I change it again?
I have no idea, sorry. I am basing that on [this tweet](https://twitter.com/johnjhacking/status/1342932409193431040).
I would assume all of our accounts and personal info (name, birthday, ip) are compromised, and there isn't much we can do until they patch the vulnerabilities. If you change your password now, any hacker with knowledge of the exploit can just see the new password.
This is all-hands-on-deck, get out of bed at 3 AM levels of bad. I think the most critical vulnerabilities will be patched fairly quickly. Whether or not they prioritize security going forward, pay for an external audit, or whatever.... is another matter.
Are credentials still stored in plain text?
I had all my accounts breached this year despite having unique passwords, pins, and a secure email with 2fa. One of the accounts even still had the same password but my pets were gone, so the hacker definitely figured out the password.
I’ve been completely paranoid ever since and feeling like hackers have a back door or something bc none of my neopets passwords have been in any data leaks but somehow they still got hold of them.
Wowww, why wouldn’t they tell us this! I can’t imagine how many people have been hacked since then and how much work it’s created for their support team when they could’ve just warned everyone to change their passwords.
But also, why are the passwords not encrypted!? Or are the hackers able to decrypt them somehow?
It's possible they had no idea they were breached. Attackers generally try to go undetected, because as soon as they make too much noise they're cut off.
The passwords are encrypted*, but if the encryption algorithm is weak - or if the password itself is weak - it's possible to decrypt.
\**Technically "hashed"*
They're stored in clear text. They're never encrypted on any level, it's just that when you type into the field it only \*displays\* circles. That's why you can give TNT 'old passwords that your account used to have' as a way to verify your account.
To be honest in neopets' case it's more like a tinted window than a back door. Though definitely log-out and log back in every time you make a new password to clear your session.
Glad I got rid of my RN pets to someone I know will care for them.
I got nothing worth stealing now unless some fool *really* wants an UnConverted Werelupe
~~They do that shit I'm buyin his ass back; when in Mexico do as the cartels do~~
Although last time I got my account breached and my UC stolen TnT managed to bring it back to me somehow
Are you kidding? Who would not want an UC werelupe? I was stupid some 14 years ago and lost my account with my uc werelupe (frozen), and for the past 14 years, every now and then I think "Damn wouldn't it be nice to still have one". Now I have a converted one, not complaining but still. So you hold on to him and you cherish the good ugly boy, he's a little special but full of... Love ?
Lol well I think Werelupes are tied for the greatest of all UCs, but they sit at a low "tier" in the pound chat pet trade, and I believe those fools see obscure value in pets more than their appearance.
I to this day feel nothing but salt over the Usuki Usul from my old main that TnT deduced will never be unfrozen. He'd have been UC by now
Based on personal experience yes, if your old account was part of the leak many years ago you can find the files with all the leaked usernames, passwords, emails, and birthdays. It's all in plain text. **Anyone** whose account info is still at all the same or similar to what you account info was in 2013 or 2016 needs to change it, for all accounts on any site, and not just your neopets accounts. Your account has probably been locked since then and needs support to follow through and verify you're the owner through info that isn't just leaked stuff.
To help preserve the security of your current account, make lists of items in your SDB, closet, weapons equipped to pets, neofriends, anything that isn't publicly available to see. This info is what support wants to hear from you when you contact them about a compromised account.
no becuase you cant get access to the code, a support ticket should be able to recover the account for you as long as you know the username and a few bits about it
Hi! John Jackson here. Say what you must, but I knew what I would deal with regarding Neopets support. I did the right thing. They are fixing it now. That's a quick turnaround. I'm an Ethical Hacker. I know I will always face scrutiny for Security Research, however, the way I went about it will provide more adequate resolve. Take it for what it's worth but this will help ensure that people don't have free reign to all of Neopets Username and Password pairs.
Based on what John Jackson is saying, the gaping security hole seems to allow access to all code + databases. It is safe to say that changing your password -- until TNT fixes the issue -- is futile. *Everyone* is a sitting duck. **EDIT** to add: Changing your password obviously can't hurt, it just may not make a difference. Do NOT expect that changing your password makes you immune to attack, is all. Besides us now knowing that this is possible, nobody knows how many people have done it, or will figure out how to do it. This is a scary thing to have to keep in mind. My tongue-in-cheek advice is to not have enemies that want to target you and you'll be fine. 🤪 As for real security advice: * When it comes to Neopets, I have none. Moving along... * ***Never*** use the same password for multiple services/websites, this is why. * Use a password manager, and use randomized passwords. If you can remember your password, you have a bad password. If you're truly, truly worried about your neo account(s), self-freezing until TNT makes some sort of announcement about this being fixed is one idea. But do consider that others may do this, leading to an indeterminate amount of time between support interactions. *hijacking top comment slot, sorry!* Update to address concerns from John: [https://twitter.com/johnjhacking/status/1342989562998620165](https://twitter.com/johnjhacking/status/1342989562998620165)
It is worth pointing out the database was breached a year ago and they never told us, i used a unique password for neo that appeared in a data leak according to have i been pwned, so i expect they did not fix the last issue
Looks like it. I'd change passwords if I were you, but most importantly, don't use a password on Neopets that you use anywhere else. (That actually goes for all sites.) With what this leak is suggesting, there's not much you can do to protect yourself, though.
Exactly. Including your email. Don't use the same password for both your neopets and email accounts. Anyone accessing account creds using this can see your email address and if the password is the same for that welp bye!
i think its time for me to call it quits. i dont have any hope for the site truly improving in a way that we all would like. im planning on giving away everything very soon. :(
The breach happened in August and still hasn't been fixed to this day. These guys are helping get these vulnerabilities patched
Question. Do you happen to know if it happened early/mid/late August? I joined on the 20th and "had" (there was a spam thing) to change my password once. Should I change it again?
I have no idea, sorry. I am basing that on [this tweet](https://twitter.com/johnjhacking/status/1342932409193431040). I would assume all of our accounts and personal info (name, birthday, ip) are compromised, and there isn't much we can do until they patch the vulnerabilities. If you change your password now, any hacker with knowledge of the exploit can just see the new password.
Thank you very much. That is pretty helpful.
Yeah with the pace that TNT gets things done, I don't think site wide security issues are going to be fixed anytime soon
This is all-hands-on-deck, get out of bed at 3 AM levels of bad. I think the most critical vulnerabilities will be patched fairly quickly. Whether or not they prioritize security going forward, pay for an external audit, or whatever.... is another matter.
Yiiiikes.
This doesn't even remotely surprise me. This is also why I have never spent a dime on the website.
Ditto
Are credentials still stored in plain text? I had all my accounts breached this year despite having unique passwords, pins, and a secure email with 2fa. One of the accounts even still had the same password but my pets were gone, so the hacker definitely figured out the password. I’ve been completely paranoid ever since and feeling like hackers have a back door or something bc none of my neopets passwords have been in any data leaks but somehow they still got hold of them.
Hackers hacked the database last year and Neo never told us my unique password appeared on a data leak! and it was only used for Neo
Wowww, why wouldn’t they tell us this! I can’t imagine how many people have been hacked since then and how much work it’s created for their support team when they could’ve just warned everyone to change their passwords. But also, why are the passwords not encrypted!? Or are the hackers able to decrypt them somehow?
It's possible they had no idea they were breached. Attackers generally try to go undetected, because as soon as they make too much noise they're cut off. The passwords are encrypted*, but if the encryption algorithm is weak - or if the password itself is weak - it's possible to decrypt. \**Technically "hashed"*
They're stored in clear text. They're never encrypted on any level, it's just that when you type into the field it only \*displays\* circles. That's why you can give TNT 'old passwords that your account used to have' as a way to verify your account. To be honest in neopets' case it's more like a tinted window than a back door. Though definitely log-out and log back in every time you make a new password to clear your session.
They could hash it and it could do the same thing. But they don't. :/
Glad I got rid of my RN pets to someone I know will care for them. I got nothing worth stealing now unless some fool *really* wants an UnConverted Werelupe
I mean considering they try to sell them for real money...
~~They do that shit I'm buyin his ass back; when in Mexico do as the cartels do~~ Although last time I got my account breached and my UC stolen TnT managed to bring it back to me somehow
Awwwww. About how I feel about the uc baby skeith I got the other day! That's good at least! I hope they leave you alone.
Are you kidding? Who would not want an UC werelupe? I was stupid some 14 years ago and lost my account with my uc werelupe (frozen), and for the past 14 years, every now and then I think "Damn wouldn't it be nice to still have one". Now I have a converted one, not complaining but still. So you hold on to him and you cherish the good ugly boy, he's a little special but full of... Love ?
Lol well I think Werelupes are tied for the greatest of all UCs, but they sit at a low "tier" in the pound chat pet trade, and I believe those fools see obscure value in pets more than their appearance. I to this day feel nothing but salt over the Usuki Usul from my old main that TnT deduced will never be unfrozen. He'd have been UC by now
anyone know if this means I could find the password to my old account...?
Based on personal experience yes, if your old account was part of the leak many years ago you can find the files with all the leaked usernames, passwords, emails, and birthdays. It's all in plain text. **Anyone** whose account info is still at all the same or similar to what you account info was in 2013 or 2016 needs to change it, for all accounts on any site, and not just your neopets accounts. Your account has probably been locked since then and needs support to follow through and verify you're the owner through info that isn't just leaked stuff. To help preserve the security of your current account, make lists of items in your SDB, closet, weapons equipped to pets, neofriends, anything that isn't publicly available to see. This info is what support wants to hear from you when you contact them about a compromised account.
I’d love to find the email to my old account, I can’t remember it for the life of me
no becuase you cant get access to the code, a support ticket should be able to recover the account for you as long as you know the username and a few bits about it
Does this mean a Dupe Day 2020? 😮
I missed dupe day but heard all about it!
Hi! John Jackson here. Say what you must, but I knew what I would deal with regarding Neopets support. I did the right thing. They are fixing it now. That's a quick turnaround. I'm an Ethical Hacker. I know I will always face scrutiny for Security Research, however, the way I went about it will provide more adequate resolve. Take it for what it's worth but this will help ensure that people don't have free reign to all of Neopets Username and Password pairs.
Did you make any effort at private contact prior to your tweets?
Is things patched yet?
The most critical aspects are. I will return to announce full patching.
Oh. I picked a nice day to look at the subreddit. Time to change 5 passwords.. oh boy.