August
29, 2022
Re:
Notice of Data Breach
Neopets began
updating individuals today through its communication channels
regarding a data incident that may have affected players' information. Neopets
previously communicated about this incident to players on July 21, 2022, and
August 1, 2022. This notice provides
details about the incident, our response, and available resources.
What Happened?
On July
20, 2022, Neopets was alerted to activity indicating unauthorized access by a
third party to our IT systems. We took immediate steps to shut down further
access to the affected systems and we have not seen any unauthorized activity
since that time. We also launched
an investigation assisted by a leading forensics firm and engaged with law
enforcement. On August 10, 2022, Neopets
determined that the event resulted in unauthorized access to, and in some
cases, download of, player personal information.
What Information Was Involved?
After
our investigation, we have determined that for past and present Neopets players,
affected information may include the data provided when registering for or
playing Neopets, including name, email address, username, date of birth,
gender, IP address, Neopets PIN, hashed password, as well as data about a player's
pet, game play, and other information provided to Neopets. For players that played prior to 2015, the
information also could have included non-hashed, but inactive, passwords. This
information appears to have been accessed and potentially downloaded between
January 3-February 5, 2021, or July 16-19, 2022.
We do not store users' government issued
identification numbers, bank account information, or payment card information.
What We Are Doing
Neopets is committed to safeguarding our players' personal information. As
part of our ongoing commitment to the safety and privacy of the Neopets' player
information in our care, we have reset players' passwords and are working on
adding multi-factor authentication to better safeguard your account access. We have also enhanced the protection of our
systems, including by further strengthening our network monitoring,
authentication, and system protection.
What You Can Do
If you used your Neopets password
on other websites, we recommend that you change your passwords for those
accounts as well. In general, it is a good idea to use different passwords
across different applications and choose strong passwords.
In addition to changing your
passwords, we recommend you do the following:
· While we are not aware of any misuse of your information, it is always a good practice to remain vigilant against threats of identity theft or fraud, and to regularly review and monitor your account statements and credit history for any signs of unauthorized transactions or activity. If you ever suspect that you are the victim of identity theft or fraud, you can contact your local police. Additional information about how to protect your identity is below.
· Additionally, it is always a good idea to be alert for "phishing" emails by someone who acts like they know you or are a company that you may do business with and requests sensitive information over email, such as passwords, government identification numbers, or bank account information.
For
U.S. residents, additional information about how to protect your identity is
contained below.
For more
information:
If you have questions regarding this notice,
we invite you to reach out to us through our normal support channels or by
calling 1-310-533-3400, or toll-free at 1-800-413-0526, with any questions or
concerns you might have regarding this incident or the security of your
account.
Sincerely,
Jim Czulewicz
President
& CEO
Neopets
Information for U.S. Customers
MORE
INFORMATION ABOUT IDENTITY PROTECTION
INFORMATION
ON OBTAINING A FREE CREDIT REPORT
U.S.
customers are entitled under U.S. law to one free credit report annually from
each of the three major credit bureaus. To order your free credit reports,
visit www.annualcreditreport.com or call toll‑free
(877) 322‑8228.
INFORMATION
ON IMPLEMENTING A FRAUD ALERT OR SECURITY FREEZE
You
can contact the three major credit bureaus at the addresses below to place a
fraud alert on your credit report. A fraud alert indicates to anyone requesting
your credit file that you suspect you are a possible victim of fraud. A fraud
alert does not affect your ability to get a loan or credit. Instead, it alerts
a business that your personal information might have been compromised and requires
that business to verify your identity before issuing you credit. Although this
may cause some short delay if you are the one applying for the credit, it might
protect against someone else obtaining credit in your name.
A
security freeze prohibits a credit reporting agency from releasing any
information from a consumer's credit report without written authorization.
However, please be aware that placing a security freeze on your credit report
may delay, interfere with, or prevent the timely approval of any requests you
make for new loans, credit, mortgages, employment, housing, or other services.
A credit reporting agency may not charge you to place, temporarily lift, or
permanently remove a security freeze.
To
place a fraud alert or security freeze on your credit report, you must contact
the three credit bureaus below:
Equifax |
Experian |
TransUnion |
Consumer Fraud
Division |
Credit Fraud Center |
TransUnion LLC |
P.O. Box 740256 |
P.O. Box 9554 |
P.O. Box 2000 |
Atlanta, GA 30374 |
Allen, TX 75013 |
Chester, PA 19022‑2000 |
(888) 766‑0008 |
(888) 397‑3742 |
(800) 680‑7289 |
To request a security freeze, you
will need to provide the following information:
You
may also contact the U.S. Federal Trade Commission ("FTC") for further
information on fraud alerts, security freezes, and how to protect yourself from
identity theft. The FTC can be contacted at 400 7th St. SW, Washington, DC
20024; telephone +1 (877) 382‑4357; or www.consumer.gov/idtheft.
ADDITIONAL
RESOURCES
Your
state attorney general may also have advice on preventing identity theft, and
you should report instances of known or suspected identity theft to law
enforcement, your state attorney general, or the FTC.
California Residents: Visit the
California Department of Justice's Privacy Unit (https://oag.ca.gov/privacy) for
additional information on protection against identity theft.
District of Columbia Residents: The District of Columbia Attorney General may be contacted at: 400 6th
Street, NW, Washington, DC 20001; 202-727-3400; oag@dc.gov, and www.oag.dc.gov.
Maryland Residents: The Attorney
General can be contacted at Office of Attorney General, 200 St. Paul Place,
Baltimore, Maryland 21202; +1 (888) 743-0023; or www.marylandattorneygeneral.gov.
Massachusetts Residents: Under
Massachusetts law, you have the right to obtain any police report filed in
connection to the cybersecurity event. If you are the victim of identity theft,
you also have the right to file a police report and obtain a copy of it.
North Carolina Residents: The Attorney
General can be contacted at 9001 Mail Service Center, Raleigh, NC 27699-9001;
+1 (919) 716-6400; or www.ncdoj.gov.
New Mexico Residents: You have
rights under the federal Fair Credit Reporting Act (FCRA), which governs the
collection and use of information pertaining to you by consumer reporting
agencies. For more information about your rights under the FCRA, please visit
https://www.consumer.ftc.gov/articles/pdf-0096-fair-credit-reporting-act.pdf or www.ftc.gov.
New York Residents: The Attorney
General can be contacted at the Office of the Attorney General, The Capitol,
Albany, NY 12224-0341, +1 (800)-771-7755; or www.ag.ny.gov.
Rhode Island Residents: The Attorney
General can be contacted at 150 South Main Street, Providence, Rhode Island
02903; +1 (401) 274-4400; or www.riag.ri.gov. You may also
file a police report by contacting local or state law enforcement agencies.