Hello Kitty’s website, Sanrio Town, which is also the online community for Hello Kitty fans, has been subject to a data breach that has leaked information belonging to more than 3 million users’ online accounts. The data exposed includes first and last names, birth dates, genders, countries of origin, and email addresses.
The Guardian’s Alex Hern says the leak included lightly-protected passwords and password secret questions and answers. The form of protection used by Hello Kitty is the hashing technique, which makes it impossible to retrieve original passwords. But the method makes it easy to use force to uncover a substantial proportion of obscured passwords.
Researcher Chris Vickery found the breach and contacted Salted Hash, a security blog, over the weekend. Multiple other Hello Kitty websites were also leaked.
This breach is the most recent in a spate of attacks that has compromised the data of families. In November, Japanese electronic company VTech was hacked, which allowed information about millions of children to be stolen. Photographs taken by the VTech’s products, download histories, encrypted passwords, and password retrieval questions were all taken. On Dec. 15, a 21-year-old man was arrested for the VTech hack.
Internet security experts are recommending that parents make sure children’s passwords are immediately changed. This is especially important if the passwords are being used on other sites as well.
International Business Times’ Tom Mendelsohn writes that since Hello Kitty is also popular with adults, they should change their compromised passwords as well because it is easy for hackers to reference accounts on multiple sites that share passwords.
The data may have been leaked as early as November 22, but Vickery did not publish the location of the data to help prevent further exposure.
Created in 1974 in Japan, Hello Kitty is owned and operated by the Japanese firm Sanrio, which had a net worth of $7 billion in 2014. Formerly aimed at pre-adolescent girls, it now has a following of adult fans. Hello Kitty has two theme parks in Japan and a variety of TV series, films, games, and secondary characters.
Sanrio said there was no evidence that any data was stolen from the accounts exposed by hackers. Katie Bo Williams of The Hill says the company has stated that it “patched a hole” in its security after it was informed that users’ data was made accessible. They added that all passwords were “securely encrypted” and no credit card information was among the exposed data.
Reuters noted that the database was exposed for almost a month, which meant anyone who knew the Sanrio websites’ internet addresses could have compromised them.
A spokesperson for Sanrio said the company does not allow minors to sign up, but that an honor system is in place, so kids younger than 13-years-old could register on the site simply by lying about their age.
Vickery, who explores security weaknesses as a hobby and then reports them to the relevant companies, says he has found thousands of similar security breaches.
One Sanrio spokesperson in Tokyo said the Hong Kong site was not connected to a Sanrio shareholder database that experienced a data breach earlier this year.