The database for the site sanriotown.com, the official online community for Hello Kitty and other characters from Japanese kawaii character maker Sanrio Co. Ltd. has been hacked with the account details of 3.3 million users making its way online.

The database was discovered by Chris Vickery, the same researcher who exposed the MacKeeper and Hzone data breaches.

According to Salted Hash, the records exposed include first and last names, birthday, gender, country of origin, email addresses, unsalted SHA-1 password hashes, password hint questions, their corresponding answers, and other data points that appear to be website related.

The main Sanrio site also offers an e-commerce shop that sells (unsurprisingly) Hello Kitty merchandise, but it’s not clear from the report as to whether financial data was included in the database.

Data from other related sites was also included in the database including the user details for the sites hellokitty.com; hellokitty.com.sg; hellokitty.com.my; hellokitty.in.th; and mymelody.com.

In addition, two Sanrio backup servers were also discovered online.

The report notes that Sanrio, as well as the ISP being used to host the database itself, have been notified of the breach but as of the time of writing neither have commented publicly.

Targeting kids

The Hello Kitty hack follows a recent and much-publicized hack of kids smart toy maker VTech in November and may be indicative of a shift by bad actors to disturbingly targeting children whereas previously they have primarily targeted services frequented by adults.

Why the sudden shift to targeting kids is unclear at this stage and given that there’s little background on where the data is available or who had obtained it in this case we simply don’t know; this compares at least to the VTech hack where the hacker actually spoke about why it was wrong, saying at the time:

“Frankly, it makes me sick that I was able to get all this stuff,…VTech should have the book thrown at them.

The same applies for Sanrio and Hello Kitty: while it’s never good that any company is hacked, there should be some level of moral responsibility for a company that caters to kids to be doubly sure that the data they gather on children remains as secure as is technologically possible, and the fact that this data is in the wild now would suggest that Sanrio is at least partially to blame by failing to prevent the hack to begin with.

It probably goes without saying but if your child, or you yourself, have an account with the company, you need to change your password immediately.

Image credit: aedc/Flickr/CC by 2.0