A database from Sanrio Co. Ltd., the company behind Hello Kitty, has been published online for the first time, proving once and for all that the company was hacked.
News of the hacking emerged in December 2015, when a copy of the database was alleged to have been found on the dark web by security researcher Chris Vickery. It included first and last names, birthday, gender, country of origin, email addresses, non-randomized SHA-1 password hashes, password hint questions, their corresponding answers and other data points — in short, a lot of valuable data. Users were advised to change their passwords, but Sanrio denied that any data had been stolen at the time.
Any question about the veracity of the hack has now been answered with leak search engine LeakedSource having added the Hello Kitty database to its service last weekend. The database is said to include 3.3 million records from sanriotown.com including 186,261 Hello Kitty fans who are younger than 18. Fortunately, the published record has been stripped of anything but personal details, with other data being removed. Strangely, though, the data on LeakedSource now includes the field “incomeRange” next to every user with values running from 0 to 150, although it isn’t clear what those numbers actually mean.
“As was the case previously, the fear is that the exposed database could cause problems for those registered, especially the children,” Steve Ragan, who first noted the dump on LeakedSource, wrote at Salted Hash. “It’s hard enough to deal with ID theft related issues as an adult. Such issues are only compounded for children, as the problems might not materialize for several years.”
As SiliconANGLE wrote at the time the story originally broke, the Hello Kitty hack, along with the hack of smart toymaker VTech before it, may be indicative of a disturbing shift by bad actors to target children. Before, they had primarily targeted services frequented by adults.
It may be somewhat flippant to quote the famous line from “The Simpsons,” “Won’t someone think of the children?” but in this case it seems apt. Anyone who has created a Sanrio Hello Kitty account and hasn’t changed the password yet should do so now.