Skip to main content
Examples of Good PRhappy clientsManagementPR

Neopets Breach: A Lesson in How (Not) to Handle Crisis Comms on Social Media

By August 1, 2022January 4th, 2023No Comments
security serious week

Last week, in the first mega breach to hit the US this year, virtual pet website Neopets was hacked and the data of over 69 million users was put up for sale on the dark web. This, as the first step of any crisis communications plan will ask you to consider and evaluate, is clearly a crisis – and a big one. Crisis communication plans (ones that companies hope to never use) must be implemented, fast. In 2022, when over 4.48 billion people use social media for communication, connecting with loved ones, checking the news, and more, crisis communication plans should be extended to include comprehensive social media strategies, especially in an age where you, as an organisation, can reach thousands of customers instantly. Informing is a key part of the response stage of a crisis plan and it can make or break the customer perception of a brand. With this in mind, this post will look at the social media crisis communication strategy – or lack thereof – implemented by Neopets over the last week. 

Let’s first consider who uses Neopets. The site boasts over 100,000 daily active users, aged 18-24 and most of whom spend 90 minutes a day playing on average. Of course, the number of registered members (and subsequently their data) has been accumulating since 1999 when the site was first launched. While hackers probably aren’t interested in stealing virtual pets, the data ascertained in such an attack (passwords, email addresses, etc.) could be invaluable elsewhere. 

Initial Response 

There are three things all social media crisis communication strategies should consider: preparation, response, and recovery. Given that breaches were reported on the site in 2016 and further nafarious activity was detected in 2020, some preparation steps should have been taken if appropriate measures were implemented after the last attacks.  

The 2022 breach was first announced via a Neopets help site on Wednesday 20th at 11:34NST (15:04pm): “We have some serious news today. Thanks to an anonymous tipster, we’ve been made aware that the database and source code for has been breached, and over 69,000,000 user accounts have been exposed.” Ideally, your customers should be hearing from you first, not a third party, especially in such a significant situation. If this cannot happen users should be updated as soon as possible after the news has broken elsewhere.  

So, how did Neopets officially release the news? Initially, a representative confirmed via Discord that the company was aware of the breach and “actively working on it.” Hours later, a statement was published on the site’s forum and on Twitter in a thread of three tweets addressing the breach. The Tweets read:  

Neopets recently became aware that customer data may have been stolen. We immediately launched an investigation assisted by a leading forensics firm. We are also engaging law enforcement and enhancing the protections for our systems and our user data. (1/3) 

It appears that email addresses and passwords used to access Neopets accounts may have been affected. We strongly recommend that you change your Neopets password. If you use the same password on other websites, we recommend that you also change those passwords. (2/3) 

As our investigation continues, we will update you as appropriate. We truly appreciate your patience and understanding at this time. Thank you. (3/3) 


A successful statement? 

There’s a tricky balance between timeliness and clarity when it comes to releasing statements in moments of crisis on social media. A good social media crisis comms statement should be released quickly, BUT it should be released using information that is accurate and clear, featuring actionable commands. Ideally, a statement should be released within 60 minutes of a crisis arising, to shape the conversation around the incident, diminish panic and to reassure customers and the press. Your users shouldn’t be hearing critical information from anonymous “tipsters” hours before an official statement is released.  

Of course, when everything is up in the air (and the data of 69 million users is at risk) it’s easy to forget the first rule of crisis comms: don’t panic. Once you’ve got a good hold on the situation, releasing an accurate statement is key. Social media is a good place to get that information out quickly and to a large group of people. For example, 30k large as the @Neopets Twitter account boasts. As it’s such a significant situation, saying the right thing is paramount and likewise engaging a legal team is often a good idea too. This could explain why this statement took so long. But what should a model statement include? 

A good crisis comms statement should be consistent across social media platforms and, until an appropriate point in time, the main thing a customer sees when visiting your page. It should be compassionate and take into consideration the reactions of worried customers. It should seek to reassure. The aforementioned Tweets are clear and concise. They feature actionable steps for worried customers to take – “we strongly recommend that you change your Neopets passwords” – to mitigate further damage. It is perhaps not the most compassionate of statements, but it is concise and appears truthful. The worst thing you can do in a crisis situation is say “no comment.” Transparency, even if it’s limited, is key. You should, however, take responsibility for the situation at hand and aim to educate.  

What happens once the statement has been posted? Your social media moderators should be monitoring reactions closely. They should continue to answer concerns from customers and assuage panic spread further by press. Every user is a media outlet amplifying your story, for better or worse. These statements should not function as a one-and-done basic compliance activity, they should be updated and checked often. 

Business as usual? The Achilles heel of all good crisis communication plans 

Unfortunately, the real problem with the reaction from the official Neopets social media account was what happened next: business as usual. The worst thing you can do in a time of crisis on social media is continue as if nothing happened. After a crisis has occurred, all scheduled content should be paused, all advertising should be stopped, and focus should turn to resolving the problem at hand. As someone who deals with social media on a day-to-day basis, I know that it is customary to schedule content days, even weeks, in advance. In the case of Neopets, which is currently exhibiting at San Deigo Comic Con, and which, I imagine, is a costly choice for a brand because it is so key to engaging users. However, it is always worth reviewing your social media content when a crisis happens to avoid distaste, no matter what else is going on.  

The Achilles heel of the Neopets crisis comms plan was a Tweet, less than 24 hours after announcing the breach, promoting a competition that reads: 

“Did you know that we have Neopets plush for sale at our SDCC booth? Did you ALSO know that we are giving away one XL Faerie Draik EVERY DAY? To enter: Take a picture at our booth (929) Post it on social media with hashtag #NeopetsSDCC2022 & #SDCC2022 Winners will be DMed!” 

Shockingly, the Tweet and its onslaught of furious replies remain up (correct as of Tuesday 26th July 2022). The reality is that this Tweet should have been held back, even though it is time sensitive and relating to an event happening currently. These comments show exactly why a ‘business as usual’ strategy doesn’t fly with worried and irked consumers: 

One user said: “I would like to know that my account information is safe and not being hacked into before I worry about a stuffed animal giveaway, thank you.” 

Another added: “Did you know that your website is currently suffering a massive data breach and you have said NOTHING on the status of your users’ account security?” to whom someone replied “honestly the fact this has happened 3 times already they never learn.” 

One Tweet hit the nail on the head: “For 95,000 USD a hacker can win the GIVEAWAY of your millions of users’ personal information. This is in such poor tact I’m losing my damned mind.” 

Social media allows every user to have their own digital soap box. As a brand you must accept that you will never have complete control over how you are spoken about online. You can, however, shape the conversation and attempt to control damage by responding to worried customers, pausing business-as-usual posting, and posting quickly (and regularly), with the most up-to-date information available. 

Going forward? Recovery. 

While we won’t know how this will pan out for Neopets yet as the situation is still unfolding, we can see that their social media team has not updated users about the status of the breach since the original Tweets. Really, this thread should be pinned to the top of the page and be the first thing that worried customers see when they come to the page for information. The most important lesson in social media for businesses is that people don’t want to do business with businesses, they want to do business with people. Brands with compassion and a unique voice will undoubtedly do better in these situations than those without. As each day passes, the Neopets’ breach Tweet gets buried under new posts about SDCC and other announcements. The replies under these new Tweets continue to be furious, understandably, showing that a compromised organisation can’t just move on and hope no one notices.  

Ideally, how do Neopets – or any brand coming out of a crisis situation – recover? Firstly, once the situation is under control and the hackers are kicked out of the system, communication with customers should be kept open and remain a priority. Once this has happened, you can start evaluating the overall sentiment of the reactions and determine the response in the media. Finally, this data should be analysed to see what lessons may be learned and to determine a best practice going forward.