In July 2022, a hacker posted a database on a forum with the personal information of 69 million Neopets users — names, email addresses, birth dates, zip codes, and account data. The asking price was four Bitcoin. The kicker: investigators determined the attackers had been inside Neopets’ systems since January 2021. Eighteen months. Undetected.

If you have been on the internet long enough to remember feeding a virtual pet in the early 2000s, this one might land a little differently. But the Neopets breach is worth paying attention to for reasons beyond nostalgia. It is a near-perfect illustration of what security researchers call “dwell time” — the period between when an attacker gains access to a system and when they are actually discovered. The global average dwell time in 2022 was around 207 days. In Neopets’ case, it was more than 540.

During those 18 months, the attackers had unrestricted access to user data. They could read it, copy it, and sell it — which is exactly what they did. And the users whose information was in that database had no idea.

The lesson is not complicated: breaches are not always loud. A lot of them are quiet. Attackers get in, stay low, and take their time. Detection matters as much as prevention. If your organization is only thinking about keeping attackers out and not about identifying when one has already gotten through, you have a meaningful gap in your security posture.

Also: change your Neopets password. And if you used that same password anywhere else, change those too.

Source: Security Magazine — The Top 10 Data Breaches of 2022