Account Security!
This used to just be a page about Cookie Grabbers. I still have all the information on Cookie Grabbers below but I feel like there is a more important topic to address first. Hacking.
Tons of people will tell you that you cannot be 'hacked' on Neopets. Well, whether or not this is true is still up for debate. Your email that you use for Neopets however, is a different story. I personally have had my email hacked specifically for Neopets multiple times. Most recently I found the email of the hacker, who got into my emails and changed the alternate email to her own. When I put the email in a search engine, I found out that she was charging people money to hack whatever account they wanted. This is not only cruel, it is also ILLEGAL. So I was specifically targeted by someone willing to waste money and break the law. This account, with this page on it, was the first to go. I can only assume that certain people don't like this info page being shared.
Prevention
Anyways, there are things you can do to HELP prevent this from happening. It is never 100% guaranteed but it can surely help.
1. Strong Email Security! Put security questions, alternate emails and any other security additions on your email accounts. Some emails have a thing where when you try to log in, they will text a new word to your phone and you can only get in with that word. I think this is awesome! Do whatever you can to amp up your email security.
2. Secret Email! Along with the email security, keep your email secret. Use a separate email for Neopets only. I recommend having your regular email as your alternate email so that if someone starts changing info on your Neopets email, you get alerts to your main email. That is how I caught the last person before they got all 5 of my accounts. I went to check my email and found new messages saying my other accounts word and such had been changed.
3. Send Your Pin Daily! This is kind of tedious but can help. You can only send a pin request from Neopets once a day. So if the first thing you do when you get online is send your pin to your email AND go to your email and delete it from your inbox AND trash, you can at least slow the hackers down. If they can't get your pin AND you have everything pinned on your account, which you should!- they can't do much to you. You can do that HERE.
4. Be Nice! Wait, what? You think I'm crazy? Well, it is a known fact that people can specifically target your accounts. Usually they target people with nice pets, but most people can't give up their nice pets. They can however, try to be nice so people won't target them for some type of sick revenge. I had a friend who was attacked because someone felt mistreated by them. The hacker even went on to threaten my friend offsite. It was horrible and very sad to see. The people that do that, hack I mean, don't seem to understand the emotional toll it takes on people. If someone is rude to you on Neopets, block them and move on. Don't try to ruin their life, that makes you way worse than they could ever be.
5. Birthday Prompt! There is a new feature that has it require a Birthday
prompt whenever you log in from a new computer or haven't logged in for a while. I recommend using it. You can add it HERE IMPORTANT: In order for this to do any good, I recommend keeping your birthday to yourself. If you make a board about it being your birthday, this prompt won't help at all.
6. Hide yo' NC! This is way more common lately. Thieves will sell your NC items off site for real money, which, again, is ILLEGAL! Help avoid this by making your NC album private. If someone goes through your album and sees 6 NY in FLs, 3 Spyder Staffs, Mini Monster, ect, chances are they will try to get in.
Preperation!
It helps to be prepared in case you are hacked/CGed and your accounts are frozen for protection. When you make a TICKET to get your account back, you will be asked for a ton of information. Here are some things you should have documented for that…
1. Basic Info! Keep track of your previously used emails and words for each account. ALL of them.
2. Neofriends! Keep a list of all of your Neofriends and make sure your birthday is accurate or at least written down.
3. Your NC history! Since I no longer had access to my email when I was hacked, the staff member requested my NC history. I never thought to keep that information but now I do! First, go HERE and on the bottom left, you will see an option for "NC Account." Choose that and then choose "NC Log." Then you will see a new page come up saying "NC Log: A summary of your NC purchases." Under that, choose "All Time." Copy and paste that entire thing into a document for safe keeping. If you can give them some of your NC card codes that you redeemed, that would help.
4. Codes! Along with your NC cards codes, any other codes would help as well. For example, codes for KQ plushies or Space Faerie codes AND what you got for them. These are things that only you could know.
5. Warnings Received! If you were ever warned, suspended, silenced or frozen in the past, give TNT as much info as possible for that. When, why, etc.
6. Pets! Keep a specific list on pets you have created on that account. Also keep a list of pets you have adopted/abandoned/transferred and where they went/came from.
7. Items! Here is a huge one. They will want a list of items that are equipped to your pets and in your closet. It can't hurt to throw a couple snowballs and a scarab ring or something on your pets to have SOMETHING to say about equipment. If you are like me and have thousands upon thousands of items in your closet, write down a good list of obscure ones. Paint brush clothing, full super-packs and how many freaking bows you have are good things to note.
8. Extra Info! There is a space for anything else you can think of to add. I recommend things like what avatars you have, what dates you won certain contests (like BC, poetry, etc), stocks, and more.
If you want more information on this, I recommend Sarika_ambrielle's "Who Knew" HERE.
Back to Top
Quick Checklist in Case You Are Hacked!
If someone is in your account right now, or you think they might be, Follow these steps. If you can't do one, skip it and go to the next.
1. Try to login in to your account. If you are already logged in, log out and back in. If you cannot log in, try to have your word sent to your email. If you can't access your email either, skip to step 5.
2. If you get in, change your word and pin. Log out and back in with new word.
3. Check and make sure the email associated with the account is your own. If it's not, change it back if you can.
4. Keep an eye on your email to make sure they don't get in that.
5. If you can't get in and your account is not frozen, sign into another account and report your hacked account. Get other people to do the same. You want to get it frozen as soon as possible to stop the hacker from doing too much damage.
6. Even if you get in and change your info, and ESPECIALLY if your account gets frozen, submit a TICKET about the situation.
Back to Top
Now back to Cookie-Grabbing…
Quick Checklist in Case You Are Cookie Grabbed
If you JUST clicked a link or JUST got caught in a shop, this is the order you should act in:
*Log out and log back in
*Change your word and pin
*Make sure your email is still the same
*If you used the same word for anything else, change it there too
*If they did something to your account that required a pin, make sure your email is still secure.
Back to Top
What are Cookies?
Here is where I make some joke about sugar and flour cooked to perfection, but those are not the kind of cookies I'm talking about today.
Cookies are used by websites to identify users. When you enter a Username and your login "secret word" (or other personal information), it is stored on your local computer by the browser you are using. For example, websites that "save" your username and/or "word" use these cookies to help identify you. They can be used to store "Shopping Cart" contents, user preferences, "Favorites," and more.
~A cookie is pretty much a little note with your information on it that is stored on your computer.~
People stealing your cookies
Cookies are pretty nifty, and yet pretty dangerous. Grabbers come in many different disguises. You can learn more about these below.
Why do people do this? Well there are a couple reasons…
1. Challenge. For some crazy reason, CGers get a kick out of finding ways around coding. It's a challenge for them.
2. Profit. Some people try to sell the pets and NP that they steal. Luckily, TNT is cracking down on this. If you think someone is compromised and they are giving stuff away, do NOT accept anything. This can get you in trouble or even frozen.
3. More Profit. Okay while doing my research, I found a site where people would pay someone to steal a specific person's account. If you suddenly find yourself a target of scam neomails/emails, be extra careful.
Back to Top
What to do after you've been cookie grabbed
Deleting your cookies after you've been cookie grabbed is silly. It's like hiding the cookie jar after someone ate them all… It's quicker to just log out.
If you JUST clicked a link or JUST got caught in a shop, this is the order you should act in:
*Log out and log back in
*Change your word and pin
*Make sure your email is still the same
*If you used the same word for anything else, change it there too
*If they did something to your account that required a pin, make sure your email is still secure.
If you want, you can log back out and in with the new word to create a new cookie too.
You HAVE to act fast here. Lately, the cookie grabbers have been stealing your session, not your actual info. It takes too long to decipher your word. You need to log out first because if they steal your session, logging out will log them out as well. You can try this yourself. If you have more than one browser, say IE and FF, for example. Sign in on firefox and then on internet explorer, you can stay logged on in both browsers. If you sign out in one, you will be logged out in the other.
Anyways, After you log out and change your word, double check your email, make sure it is yours. Another extra thing to do is send your pin to your email, and then go and delete the email. You can't send your pin anywhere more than once a day. I recommend having one email for all your accounts that is ONLY for Neopets. Don't give it out. Don't put it on face book.
So far, they don't seem to be cross site cookie grabbing on Neopets, but you can change your words in other places too if you want.
Oh and make sure you report the offending shop/person using the Neopets report form.
Now here is where people get controversial. Some say that the cookie grabbers can only get the information from the site that you are currently on. This is true most of the time, however there is a chance for a grabber to access cookies from other sites. This is a term called cross-site scripting or XSS. So I suggest changing all of your "words." It doesn't always happen, but as I like to say, better safe than sorry.
Back to Top
If it's too late…
If you were too late and your account was stolen and frozen, fill out a ticket on the NEW Support System. Emailing staff members directly do NOT work anymore. It just wastes your time. They will always direct you to the ticket system now.
Common Scams to Watch out for!
So, now you know the basics of what cookies and cookie grabbers are. Don't panic though! I can help you learn what to look out for. Oh and before I forget, make sure you PIN EVERYTHING! Although they can get your pin as well, it doesn't hurt to have extra security. Let me fill you in on the basic scams.
Userlookups, Pet pages, Galleries, ect
These are the most common scams. Sometimes people will post their pet page links saying they have UFT lists or other interesting things there. -Same with Galleries and other places that the HTML can be edited by users. If it's a CGer, when you go to these places, just viewing the page will get you grabbed. There are a couple ways to protect yourself.
1. Don't go to these places. Ask people to tell you what's on the page instead. This isn't a very fun way though.
2. View these pages in another browser. Say you use Firefox for Neopets. Open Internet Explorer and copy and paste the link to there instead. This isn't 100% safe though.
3. The way I suggest (and personally use), is to use Firefox with the No script and Request Policy add ons. I dicuss these later in my guide.
Shop Sniping Scams
These are tricky ones. The attacker puts an item in a shop for 1 np or cheap. The most common ones are codestones, dubloons, map pieces, ect. They use coding to hide the real item and put a cookie grabbing link on the fake one.
Dimitri_stanislaus has a great Guide with images to show what these shops can look like.
So how do you avoid these? First off, you can avoid shops. But who wants to do that? Instead, right click on the page and view the source. Then hit CRTL-F and search for "cook." READ CAREFULLY!!- The only time "cook" should show up is at the bottom of the source. –UNLESS someone was talking about cookies in a board post, then that will show. If you see it in the user-editable area with a strange website next to it- get out of there! And report the shop. If it's not really a CGer, Neopets won't act. But it's better to be safe than sorry.
Using the trading post more than shops is a good idea too.
Board scams
These fall under the click-a-link category. Someone makes a board and gives you a link to click right away. Examples:
Tarla is here!
Draik in the pound!
And more.
So how do you avoid these? Simple, hover over every link before clicking on it. MAKE SURE it's a Neopets.com link.
The difference with these it that they bring you to another site. This is worse because they can bring you to a site that will actually hack your computer. If this happens, you need to change all your info for all your sites/emails, ect. *UPDATE* I thought this was obvious but if anyone tells you to go offsite, don't. Recently, I saw a board where someone put up a warning about duped items. They said to search for something specific on a search engine. People did, and they were CGed. The worst part? The offsite CGers can get ALL your info, not just Neopets.
*Another update* I have seen cookie grabbers that worked just by visiting a neoboard, not clicking a link. The only way to avoid these is with Firefox and the add-ons I suggest later on in my guide.
People asked for proof so here it is. 
Drag to it URL bar for full-size.
The scary scams
Okay, try not to panic. These are nearly impossible to sneak past the filters. These are invisible pop-ups that appear and disappear really quickly. These you can't spot until it's too late. So, if you suddenly see a lot of strange code, or you get logged out after visiting a shop, gallery, guild, look-up or anything that users can code; Log out/in and change your word!
Now sometimes Neopets gets a tad glitchy and you have random log-outs and sometimes the dreaded "Neopets is offline." And with all of this cookie grabbing business, people tend to panic. If you are ever worried when something like that happens, just change your word when you log back in.
NOTE: If you have premium, sometimes visiting webmail can log you out.
Back to Top
Extra Security
I recommend using firefox with the REQUEST POLICY and NO SCRIPT add ons. Dimitri has more info on that on his Guide that I mentioned earlier. I have personally used it myself and find that it helps a lot.
Info on request policy…
Okay first off, never EVER allow all requests from any site. You will see a little red flag in the corner of the screen. If the flag is red, it is working. If you click the flag, you will see "blocked destinations." On neopet's regular pages there are 7 main ones that should be blocked. (Unless you have premium, then there are just two). I can't type them fully out but these should be blocked.. Goog, Score, Adb, Double, Quant, and Meteor.
Now when you view petpages and stuff, it will block pictures and such. You will have to click the flag and select allow requests from neopets.com to ...Photob, ect. BUT NEVER allow to a site you don't know. Request policy can be kind of annoying, especially off neo, but believe me, it is worth it.
Now for No Script, you have to allow Neopets and any other site you trust. No Script will make sure scripts are only run by sites you trust. –The ones you white-list (allow).
The problem with Neopets on Facebook
I made another page for this. You can find it Here.
OTHER ways people are getting into accounts
The most common new way is from unregistered emails (Unregs).
Email providers sometimes go through and delete old email accounts that don't have a lot of activity. This purging happens WAY more than you would think. Lately, thieves have been making TONS of emails, they then try having all kinds of sites mail info. Neopets is usually one of these sites.
So how do you help prevent this?
1. Make sure your email that you use for Neopets is hard to guess.
2. Make a point to sign into that email at least once a month. I do mine every week when I enter the customization spotlight.
3. Switch to an email provider that doesn't purge. I can't list those here sorry.
Another new way people are getting in is through hashes.
Sites commonly delete certain info, like UNs and Words, information you use when signing up for an account. When they delete this info, it doesn't just disappear, it gets turned into a (usually) secure code and sent into oblivion. What people are doing is intercepting this information and converting the codes. The most commonly stolen piece of info is the email address you used to sign up. Most emails are VERY easy to hack.
How do you prevent this one?
1. Like I've said, use an email for Neopets that you ONLY use for Neopets. Just make sure it doesn't get Unreged (see above).
2. Use different UNs and Words on fan sites! This should be so obvious, really.
Back to Top
Stolen pets
If someone trades you a stolen pet, DO NOT RETRADE! Submit a ticket to TNT and put a note on the pet lookup that you are working with TNT to get things figured out. If you find out a pet you traded for was stolen and you proceed to retrade the pet, TNT may assume you are the thief and you will most likely get frozen! It may take up to a few months for this to be fixed, be patient and don't risk your account by getting rid of the stolen pet.
Now this is still a work in progress, if you have anything you would like me to add, please let me know by Neomailing me, Skizzabella.
Back to Top
Link to me?
Link to me?
Link to me?
Link to me?
