Hello Kitty Leak Exposes 3.3 Million Users' Data

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

A database for SanrioTown, the online community for Hello Kitty, Badtz-Maru, My Melody and other Sanrio characters, was recently exposed online, Salted Hash reports.

The database, which was discovered by researcher Chris Vickery, held 3.3 million accounts and included full names, birthdates, genders, countries of origin, email addresses, unsalted SHA-1 password hashes, and password hint questions and answers. The first logged exposure of the data was on November 22, 2015.

Sanrio told Salted Hash the database included information on 186,261 people under the age of 18.

In addition to SanrioTown, users of hellokitty.com, hellokitty.com.sg, hellokitty.com.my, hellokitty.in.th and mymelody.com are also affected, according to Vickery.

Vickery said the data wasn't exposed by hackers, but via a misconfigured MongoDB installation.

"We are conducting an internal investigation and security review into this incident; at this time we have no indication that users' personal information was stolen by malicious parties," Sanrio said in a statement published on December 22, 2015.

All SanrioTown users are being advised to change their passwords.

"Given that many organizations have not adjusted their cybersecurity stance to take into account today’s multi-level attacks, the Hello Kitty breach highlights yet again that organizations should be focusing on making sure sensitive data remains protected – and leveraging strong encryption with access control is critical to achieving this," Vormetric CSO Sol Cates told eSecurity Planet by email.

"This is yet another case of an organization that has failed to put in place these security controls," Cates added. "Protecting data and passwords using 'hashing' techniques is simply not enough."

And Norse field engineer Joseph Pizzo noted by email that leaks and breaches like the SanrioTown leak and the recent VTech breach are unfortunately becoming increasingly common. "They are a product of poor storage of credentials, a poor security infrastructure, advanced attack methods, or any combination of the three," he said. "This may continually happen to several organizations until they realize that the threat is imminent."

"There needs to be a combination of people, products and training to address this problem," Pizzo added. "Companies can't just get away with using only one; a solution utilizing all of these is necessary to defend themselves against the bad guys knocking on their doors."

Recent eSecurity Planet articles have looked at the top enterprise encryption products and how to secure corporate data in a post-perimeter world.