The huge database of customer details was uncovered by security researcher Chris Vickery who shared details with security blog Salted Hash over the weekend but to date the company behind the anthropomorphized character, Sanrio, has not confirmed the breach. The breach came from online portal called SanrioTown.com which fans of Hello Kitty use to talk and interact online.
It’s the second major leak within a month at a company aimed primarily at children in the past month. The Hello Kitty leak comes just weeks after it was revealed that the account details of millions of VTech customers including 6.4 million children were accessed by hackers including children’s names, gender and birthdates.
Data from other Hello Kitty websites (hellokitty.com, hellokitty.com.sg, hellokitty.com.my, hellokitty.in.th, and mymelody.com) were also included in the leak.
According to Vickery, the leaked database includes the first and last names, birth dates, genders, countries of origin, and email addresses for 3.3 million customers. The database also includes “unsalted SHA-1 password hashes” which means the passwords have been encrypted but an attacker could use a brute force attack to reveal the majority of those passwords.
Also, the database includes unencrypted versions of the questions customers are asked as to retrieve forgotten passwords as well as the answers. As well as the main server, two additional backup servers were found containing the leaked database. Sanrio has yet to respond to the leak.
Hello Kitty fans range in age from young children to adults, it will the be details of any children in the leaked database which will be of biggest concern — though it has yet to be confirmed if details of any minors included in the leak.
