Hello Kitty community leaks details of 3.3m users

Parents have been warned of another children-focused website that has suffered a serious breach of customer’s private data. The recent victim is Sanriotown.com the online community for Hello Kitty fans and it is believed to have leaked details of over 3 million users.

Alarmingly, it seems to be data similar to the recent VTech breach, which also revealed usernames, first and second names, gender, country of origin and email addresses. Also similar to VTech’s breach was that passwords were weakly protected using an easily broken hash. Additionally, password hint questions and answers were taken and these too, like VTech, had been stored in plain text.

The database was available online, where it was discovered by researcher Chris Vickery, who contacted the security blog Salted Hash with the information over the weekend.
However it wasn't just SanrioTown itself that suffered a breach, accounts from a number of other Hello Kitty websites were also included in the leak. According to Salted Hash, those are hellokitty.com, hellokitty.com.sg, hellokitty.com.my, hellokitty.in.th, and mymelody.com.

No credit card details were lost in the SanrioTown attack as it is not an eCommerce site as such. However, the VTech hack earlier this month even saw the theft of photos taken by the company’s toys, as well as download histories, weakly protected encrypted passwords and password retrieval questions.

Sanrio, the owner of the brand based on the popular character, has not publicly responded to the allegations of an account leak.

Emily Orton, Director at Darktrace commented: "Companies like Sanrio need to urgently rethink the ways that they protect their information and reputation. The status quo of security is not good enough anymore – we know that companies face continual threat. Now it is time to do something about it, and bolster internal monitoring systems that work to catch early signs of compromise.”

Image source: Shutterstock/enchanted_fairy