The personal data of up to 3.3 million users of several Hello Kitty websites has been exposed in a database breach.
Researcher Chris Vickery discovered the details of 3.3 million accounts associated with sanriotown.com over the weekend, which is the official web portal for Hello Kitty and other characters owned by parent company Sanrio. The site offers fans access to forums, mini-games, videos, blogs and other Hello Kitty content.
Details included in the records, which were first known to have been published on November 22, 2015, are the first and last names, email addresses, home countries and the sexes of users, as well password hints and their corresponding answers. Unsalted SHA-1 password hashes, which are easily reversed to allow access to original passwords, were also uncovered.
Hello Kitty is a brand popular around the world among both children and adults. A number of websites associated with the brand are affected by the leak: hellokitty.com, hellokitty.com.sg, hellokitty.com.my, hellokitty.in.th and mymelody.com. Two servers containing mirrors of this data were also discovered.
After discovering the database of information, Vickery passed on the details to technology website CSO and DataBreaches.net.
As accounts set up by children are likely to be involved in the leak, a journalist with CSO, Steve Regan, has described the leak as being “worse” than if it had just been adults affected.
“If someone managed to compromise a child’s identity, the fraud might not be detected for years, because most parents don’t monitor their child’s credit record,” Regan stated.