Security

Hello Kitty hack exposes 3.3 million users' details, says infosec bod

Users left exposed on community site

One of EVA Air's Hello Kitty jets

Updated Up to 3.3 million Hello Kitty users have had their personal data exposed due to a database breach at the brand's online community SanrioTown.com, a security researcher has discovered.

The sanriotown.com breach had been discovered online by researcher Chris Vickery who informed security blog Salted Hash.

The exposed records include users' names, birthdates, gender, nationality, email addresses, unsalted SHA-1 password hashes, and password hint questions.

"While having sensitive details exposed is bad enough for adults, when the information relates to a child it's far worse.

"If someone managed to compromise a child's identity, the fraud might not be detected for years because most parents don't monitor their child's credit record," noted Salted Hash writer Steve Ragan.

In addition to the primary Sanriotown database, two additional backup servers containing mirrored data were also compromised, it said.

The earliest known date of publication for the private information was 22 November this year

Sanrio, as well as the ISP being used to host the database itself, have all been notified, reported the site.

Earlier this month Toymaker VTech admitted that millions of kiddies' online profiles were left exposed to hackers – much higher than the 220,000 first feared. ®

Updated to add

Since the publication of this story, Sanrio has contacted The Register to comment: "The alleged security breach of the SanrioTown site is currently under investigation. Information will be made available once confirmed."

Sponsored: Global DDoS threat landscape report