UPDATED 23:12 EDT / DECEMBER 21 2015

NEWS

Hello Kitty hacked with the data of 3.3m users making its way online

The database for the site sanriotown.com, the official online community for Hello Kitty and other characters from Japanese kawaii character maker Sanrio Co. Ltd. has been hacked with the account details of 3.3 million users making its way online.

The database was discovered by Chris Vickery, the same researcher who exposed the MacKeeper and Hzone data breaches.

According to Salted Hash, the records exposed include first and last names, birthday, gender, country of origin, email addresses, unsalted SHA-1 password hashes, password hint questions, their corresponding answers, and other data points that appear to be website related.

The main Sanrio site also offers an e-commerce shop that sells (unsurprisingly) Hello Kitty merchandise, but it’s not clear from the report as to whether financial data was included in the database.

Data from other related sites was also included in the database including the user details for the sites hellokitty.com; hellokitty.com.sg; hellokitty.com.my; hellokitty.in.th; and mymelody.com.

In addition, two Sanrio backup servers were also discovered online.

The report notes that Sanrio, as well as the ISP being used to host the database itself, have been notified of the breach but as of the time of writing neither have commented publicly.

Targeting kids

The Hello Kitty hack follows a recent and much-publicized hack of kids smart toy maker VTech in November and may be indicative of a shift by bad actors to disturbingly targeting children whereas previously they have primarily targeted services frequented by adults.

Why the sudden shift to targeting kids is unclear at this stage and given that there’s little background on where the data is available or who had obtained it in this case we simply don’t know; this compares at least to the VTech hack where the hacker actually spoke about why it was wrong, saying at the time:

“Frankly, it makes me sick that I was able to get all this stuff,…VTech should have the book thrown at them.

The same applies for Sanrio and Hello Kitty: while it’s never good that any company is hacked, there should be some level of moral responsibility for a company that caters to kids to be doubly sure that the data they gather on children remains as secure as is technologically possible, and the fact that this data is in the wild now would suggest that Sanrio is at least partially to blame by failing to prevent the hack to begin with.

It probably goes without saying but if your child, or you yourself, have an account with the company, you need to change your password immediately.

Image credit: aedc/Flickr/CC by 2.0

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU