The rise and fall of a Neopets black market underlord

Happy Monday, and gather around, dear readers, for a decades-spanning tale of infamy, power, privacy, money, and cute digital animals. It comes courtesy of Everest Pipkin, a gaming and software artist from Texas who you may remember for designing the open-source, image metadata scrubber. Recently, Pipkin recounted their lucrative rise and fall in the organized Neopets’ racketeering world that was the late-nineties and early-2000’s. They also, in the process, rediscovered a massive data breach of Neopets users' accounts from nearly a decade ago, which is about as ridiculous as it sounds.

For those of you blissfully unaware: Neopets was one of children’s earliest internet phenomena, a mix of Pokemon battles and 8-bit, animal-rearing Tamagotchi toys, with a side of free market economics thrown into the mix. Kids could buy and sell imaginary Neopets stocks, and use both fake (and parents’ real) digital cash to purchase new animals and customizations for their personal pages. Pipkin, eager to capitalize on the era of wild, unregulated digital pet trading, figured out a way to sell customized Neopets to other kids for cheaper than the site itself allowed, thus slowly building their way up in power ranks of Neopia (the fictional land in which all these Neopets live… keep up, okay?).

The rise and fall of a Neopets kingpin — Drunk on power, Pipkin established a guild of like-minded members. The crew began dredging up older, inactive accounts to figure out and change their passwords — mind you, these were usually kids' passwords, so not exactly the most creative or secure — then set about using these dummy accounts to make even more customized Neopets for resale. Eventually, Pipkin realized they could make actual, real-world dollars with these transactions, and against the guild’s wishes, began doing just that.

A power struggle ensued with some pretty impressive conniving and backstabbing for a bunch of 9-to-12-year-olds that resulted in Pipkin getting essentially triple-crossed and banned from Neopets, which leads us two decades later to today — and Pipkin’s search for their last remaining inactive account that site moderators missed during their excommunication.

A Shakespearean sense of justice — Here’s where things get even spicier. (We know! How could that even be possible?) During their thorough internet searches for their long-lost information, Pipkin came across a long public but little known fact about Neopets accounts: back around 2012, something like 20,000,000 profiles were hacked in a massive data breach providing scammers with names, genders, DOBs, IP addresses, and more. The datafile is around 5GB, which when you think about how little space text information takes up, is an insane amount of personal information. Hidden in that trove of names and profiles — Pipkin’s sole remaining account… with their password changed by scammers somewhere along the way. A fitting comeuppance to their childhood life of crime.

In any case, if you had a Neopets account at any point in the early 2000’s, might be a good time to go check in on all that and make sure everything’s kosher. Oh, and if you ever used the alternative Android app store, Aptoide, you probably wanna look into that, too. And if you ever used the geneology company, GEDmatch, go brush up on your data privacy there, as well. You know what? Just go ahead and use these dice to create an unbreakable master password, alright?