On 20 July 2022, a threat actor posted on BreachForums offering to sell 69 million Neopets user records and — uniquely — live access to Neopets’ database (with read and write capabilities) for 4 Bitcoin ($90,000). Neopets is a virtual pet website popular since the late 1990s, owned since 2014 by JumpStart Games (which was acquired by Chinese company NetDragon in 2017). The stolen data included usernames, names, email addresses, dates of birth, gender, country, IP addresses, and hashed passwords (SHA-1 MD5 without salting for many accounts). The attacker allegedly had persistent database access since approximately January 2021. Neopets confirmed the breach on 21 July 2022 and took several steps to investigate and secure the platform. The breach was particularly notable for: the offer of live database read/write access (rare in breach sales), the potential for the attacker to manipulate game data for any user, the 18-month undetected dwell time, and the fact that Neopets’ user base includes many children (raising child privacy concerns). The data was later shared freely online. The SHA-1 password hashing made the credentials highly susceptible to cracking. Many Neopets users had accounts from childhood (the site launched in 1999) with old email addresses and reused passwords, creating widespread credential stuffing risk.