Hi everyone,

A large pet-site has been reaching out to us over the last week or so to let us know that their users’ accounts have been under attack, and to give us some details and a heads up that they may try to target Mycena Cave accounts in the future. With that in mind, please take a few moments to help keep your Mycena Cave account and its contents safe from those who would like to steal it.

The attack that that website is undergoing is relatively simple: it seems that a few years ago, Neopets was breached and the list of accounts was stolen. The person behind this attack on the pet-site has downloaded this list and is quite simply attempting to log in with the same username/password or email/password combinations, hoping that they’ll find combinations that work. Unfortunately, this has proven to be fairly successful.

This kind of attack is called credential stuffing, and is the most common source of account compromises on the internet today. People love using the same password on multiple services. Don’t let it happen to your Mycena Cave account: use a unique password that you have never used anywhere else (and make no mistake, if you use the same password here as you use(d) on Neopets, it’s not about if your account will be stolen but when).

How can I tell if my password is on a list? We’ve built a tool which can tell you if your password is known to be compromised. That being said, the easy answer is that if you’ve used it in more than one place, you should assume that it is not secure.

What do the passwords mypassword and #f7@&FhH have in common? They can both be cracked on a modern desktop machine in a handful of hours. Password complexity, character sets, special characters, all of those are great, but the most significant factor in making a password difficult to guess is its length.

Check out our Knowledgebase article. Remember that keeping your account secure is your responsibility: if your account (or its contents) is stolen as a result of an attacker signing in using your valid credentials, there is unfortunately little we can do for you. We strongly recommend you use strong, unique passwords for every website (including this one), and that you use a password manager such as Bitwarden, 1Password or LastPass to remember them for you.

Oh lord thanks for the heads up. Neopets tho, really? You’d think they’d have strong protections in place :<

EDIT: Checked with haveibeenpwned and my old (old) email is no good anymore xD (no surprises there). Neopets was listed as a match :p Boo on y’all, neopets.

My password was found 19 times p.q I guess I’m extra at risk lol Changing now <3

Hah my new password is hilarious, if anyone needs it I used 4 words from this random word generator :) So I got something along the lines of Correct Horse Battery Staple lol

ahh the neopets breach of 2013, we luv to see it!!

this is a great heads up tho, thank you!! i know for certain i was on that neo breach because one of my sides was hacked in a way that could only have been explained as part of that breach. i’ve cleaned up neo since then but never thought to look into other petsites!

are u able to say which one is facing this issue? the majority of people who hack into neo accounts do so to sell the contents of old, abandoned accounts off site (particularly retired artwork pets) so if it’s a petsite that’s got a similar sort of issue (i think fr has had a similar black market form?) then that may be helpful to at least know what kinds of activity to look out for that would indicate mycena’s being targetted? (basically, if custom pets are being moved off inactive accounts; luckily we’re a tight enough community here that would be recognized IMMEDIATELY haha) (I dunno if that’s anything to think about/is helpful, just spitballing based on my knowledge of the neo breach!)

“This password has been found 680 times, and you should not use it!”

*screams* I’m gonna… have to use some of my weekend fixing passwords on EVERYTHING ;A;

O…omg Sylphie. :’) At least you know now! Good luck…

I changed all my passwords for just about everything fairly recently so I’m good, but this is excellent information to know, thanks!

im definitely just putting random humorous stuff in the password checker

Coming back to say that instead of spreading out the task over the next day or so, I decided to do all of this in one night (like a LOON), and I’m happy to say my new password yields a much more comforting message:

“This password was not found in any common data dumps.”

:‘D

I’m very tired lol.

Thank you for the well-wishes! XD They helped me power through!

I’d love to change my password, but I don’t remember my current one :‘D I’ll have to do an incognito mode reset.
I’ve never had a Neopets account, but a different site I’m on was hacked recently and they got the usernames/email addresses of everyone who was online at the time, myself included. I’m sad that it’s currently happening to petsites as well.

baekhesten
Omg same XD

I admit, I was shocked my spiffy password was not nearly as secure as I thought it was!  A few of my passwords weren’t as awesome either, so I’ll be doing some password changes as well.

Thank you so much for the heads up and spiffy tools! c= 

And I typed mycenacave in the password check.

This password was not found in any common data dumps.