18:28 ST
Account Security on Mycena Cave

Hi everyone,

A large pet-site has been reaching out to us over the last week or so to let us know that their users’ accounts have been under attack, and to give us some details and a heads up that they may try to target Mycena Cave accounts in the future. With that in mind, please take a few moments to help keep your Mycena Cave account and its contents safe from those who would like to steal it.

The single most important thing you can do is to use a password that you have not used anywhere else, ever.

The attack that that website is undergoing is relatively simple: it seems that a few years ago, Neopets was breached and the list of accounts was stolen. The person behind this attack on the pet-site has downloaded this list and is quite simply attempting to log in with the same username/password or email/password combinations, hoping that they’ll find combinations that work. Unfortunately, this has proven to be fairly successful.

This kind of attack is called credential stuffing, and is the most common source of account compromises on the internet today. People love using the same password on multiple services. Don’t let it happen to your Mycena Cave account: use a unique password that you have never used anywhere else (and make no mistake, if you use the same password here as you use(d) on Neopets, it’s not about if your account will be stolen but when).

How can I tell if my password is on a list? We’ve built a tool which can tell you if your password is known to be compromised. That being said, the easy answer is that if you’ve used it in more than one place, you should assume that it is not secure.


The second most important thing you can do is to use a long password

What do the passwords mypassword and #f7@&FhH have in common? They can both be cracked on a modern desktop machine in a handful of hours. Password complexity, character sets, special characters, all of those are great, but the most significant factor in making a password difficult to guess is its length.


Where can I get more information?

Check out our Knowledgebase article. Remember that keeping your account secure is your responsibility: if your account (or its contents) is stolen as a result of an attacker signing in using your valid credentials, there is unfortunately little we can do for you. We strongly recommend you use strong, unique passwords for every website (including this one), and that you use a password manager such as Bitwarden, 1Password or LastPass to remember them for you.

Posted 11/29/19, edited 11/29/19

Oh lord thanks for the heads up. Neopets tho, really? You’d think they’d have strong protections in place :<

EDIT: Checked with haveibeenpwned and my old (old) email is no good anymore xD (no surprises there). Neopets was listed as a match :p Boo on y’all, neopets.

Posted 11/29/19, edited 11/29/19
this password checker is really helpful!! it found my password 9 times so to be safe i’m changing all my passwords to be different things
Posted 11/29/19

My password was found 19 times p.q I guess I’m extra at risk lol Changing now <3

Hah my new password is hilarious, if anyone needs it I used 4 words from this random word generator :) So I got something along the lines of Correct Horse Battery Staple lol

Posted 11/29/19, edited 11/29/19
I changed my password! Always good to be safe
Posted 11/29/19

ahh the neopets breach of 2013, we luv to see it!!

this is a great heads up tho, thank you!! i know for certain i was on that neo breach because one of my sides was hacked in a way that could only have been explained as part of that breach. i’ve cleaned up neo since then but never thought to look into other petsites!

are u able to say which one is facing this issue? the majority of people who hack into neo accounts do so to sell the contents of old, abandoned accounts off site (particularly retired artwork pets) so if it’s a petsite that’s got a similar sort of issue (i think fr has had a similar black market form?) then that may be helpful to at least know what kinds of activity to look out for that would indicate mycena’s being targetted? (basically, if custom pets are being moved off inactive accounts; luckily we’re a tight enough community here that would be recognized IMMEDIATELY haha) (I dunno if that’s anything to think about/is helpful, just spitballing based on my knowledge of the neo breach!)

Posted 11/29/19

“This password has been found 680 times, and you should not use it!”

*screams* I’m gonna… have to use some of my weekend fixing passwords on EVERYTHING ;A;

Posted 11/29/19

O…omg Sylphie. :’) At least you know now! Good luck…

I changed all my passwords for just about everything fairly recently so I’m good, but this is excellent information to know, thanks!

Posted 11/29/19

im definitely just putting random humorous stuff in the password checker

me: titties
site: This password has been found 13088 times, and you should not use it!
me: Titt13$
site: This password was not found in any common data dumps.
me: nice

Posted 11/29/19

Coming back to say that instead of spreading out the task over the next day or so, I decided to do all of this in one night (like a LOON), and I’m happy to say my new password yields a much more comforting message:

“This password was not found in any common data dumps.”


I’m very tired lol.

Thank you for the well-wishes! XD They helped me power through!

Posted 11/29/19, edited 11/29/19
hey hackers can i pay you $1 for my old neopets password? i forgot it and don’t have access to the email and have been trying to get in for like 7 years lmao
Posted 11/29/19
Ah yes, that breach. Fortunately my password for that site was never re-used. Still need to reset my password on a lot of sites to be unique, but they should be fairly secure regardless. The heads up/reminder is much appreciated, yes. o/
Posted 11/29/19

I’d love to change my password, but I don’t remember my current one :‘D I’ll have to do an incognito mode reset.
I’ve never had a Neopets account, but a different site I’m on was hacked recently and they got the usernames/email addresses of everyone who was online at the time, myself included. I’m sad that it’s currently happening to petsites as well.

Posted 11/30/19
Just for fun I checked all my passwords. Everything but one was free and clear. That’s a nifty checker there glitch Thanks!
Posted 11/30/19

Omg same XD

Posted 11/30/19

I admit, I was shocked my spiffy password was not nearly as secure as I thought it was!  A few of my passwords weren’t as awesome either, so I’ll be doing some password changes as well.

Thank you so much for the heads up and spiffy tools! c= 

Posted 11/30/19
Ah, yes…the exact sort of thing that led to me losing my Gaia Online account back in the day (filled with lots of rare-ish items…and then I couldn’t even get back on the account at all) because it had the same password/username/e-mail as my account on another site that had a data base breach.  Whoops.  Haha.  I’ll….check my passwords…
Posted 11/30/19
Posted 12/04/19
Long passwords are great. Our last wifi password before we changed it was BlueistheNewSexy! It made logging on fun!
Posted 12/04/19, edited 12/04/19