Hello pity: 3.3m Hello Kitty fans’ details leaked?

22 Dec 2015

An extensive database of 3.3m members of the Hello Kitty community on SanrioTown has allegedly been leaked online and backed up on two separate servers.

Following on from the VTech hack last month, which saw personal details of millions of customers compromised, Hello Kitty is the latest children’s entertainment company to get caught up in the world of online cybersecurity problems.

Security researcher Chris Vickery was the one who found the online information from Sanriotown.com, which allegedly included users’ personal access information, such as names, email addresses, passwords and even password hint questions and answers.

A Sanrio spokesperson said “the alleged security breach of the SanrioTown site is currently under investigation. Information will be made available once confirmed,” but, in the meantime, if you have an account on there it’s best you change your password straight away.

Actually, any other account with the same password will also need changing, one would think.

Since Sanrio was informed of the issue, the three IP addresses that were disclosing the user information have been secured – “the issue wasn’t a hack, but a misconfigured MongoDB installation,” explained CSO.

The VTech hack last month saw 11.6m accounts compromised, over half of which were children’s. It all makes for a bad winter of online security for parents.

Updated at 11.10am, 22 December 2015

According to Reuters, Vickery said the company had plugged the holes he had found in three servers but, with the database exposed since November, there was potential access since then.

“It would have been extremely easy for a bad guy to take the data,” he said. “Extremely easy. Almost as easy as downloading a web page.”

But Sanrio Digital said in a statement that “at this time we have no indication that any personal information was stolen”.

Hello Kitty image by Gary718/Shutterstock

Gordon Hunt was a journalist with Silicon Republic