Sanrio probes reported ‘Hello Kitty’ hack exposing 3.3 million users

23 Dec 2015 | Author: | No comments yet »

‘Hello Kitty’ Fan Database Leak Exposes 3.3 Million Users: Researcher.

Researcher Chris Vickery told the Salted Hash blog on Saturday that he discovered a database for that houses 3.3 million customer accounts and has ties to a number of Hello Kitty portals.Over 3 million Hello Kitty fans have their information exposed in a hack that could leave identities—and passwords—of kids and their parents vulnerable to cyber attacks. The records include first and last names, birthday, gender, country of origin, email addresses, password hint questions and their corresponding answers, according to the report. “Hashed” passwords, which use an algorithm to protect the password, were also reportedly exposed. Electronic toymaker VTech Holdings Ltd said in November that it was the victim of a cyber attack that compromised information about customers who access a portal for downloading children’s games, books and other educational content.

Vickery said that accounts registered through the fan portals of,,, and were impacted by the leak. The breached data included full names, encoded by decipherable birth dates, email addresses, and encrypted passwords, along with password reset questions and answers.1 It’s not clear if the site’s breached data contained any financial information, or how it was leaked. It is not expected that images or audio of minor were exposed, as with recent security issues with Hello Barbie and VTech. “The alleged security breach of the SanrioTown site is currently under investigation,” Sanrio said in a statement provided to NBC News. “Information will be made available once confirmed.” In an email to NBC News, Vickery wrote that he found the database the same way he found another, larger one associated with the software MacKeeper last week. The database also included passwords, which were saved as “unsalted SHA-1 password hashes,” an encryption form that stores passwords as series of scrambled letters and numbers., run by Hong-Kong-based Sanrio Digital, hosts games and community forums related to Sanrio brands, so kids’ personal details may have been caught up in the leaked data.

That would make the Sanrio breach the second in just the last month to demonstrate the vulnerability of children to the same sort of data breaches that usually affect adults. Children, who are likely to use SanrioTown and unlikely to invest much effort into hack-resistant passwords, are particularly susceptible to this kind of attack. That breach, which was pulled off by a hacker who told news site Motherboard that he or she merely wished to demonstrate Vtech’s insecurity, went beyond mere usernames and passwords to include photos and videos to include childrens’ photos and chatlogs.

Approximately 55 percent of adults use the same password for most of their online profiles, a 2013 study by a U.K.-based communications watchdog found. But cautious users of the company’s sites, young or old, should reset their passwords—whether or not Sanrio itself acknowledges the breach and requires that reset.

Salted Hash, the securities blog that first reported the SanrioTown leak, is advising users to change their passwords and security questions on other websites, especially on online banking sites and social media platforms that contain personal information. Vickery says that the leaked passwords were encrypted with SHA-1 hashing, but not “salted” with random data, an additional step to strengthen that encryption. That oversight, along with what Vickery describes as password reset information included in the breach, means the passwords should be considered compromised. Beyond the risk of a compromised account, the Sanrio and Vtech breaches both serve as reminders that minors today can also be victimized by data breaches, particularly as their online footprints grow to match those of adults.

Weak security and young users could make Hello Barbie a child predator’s favorite toy, two parents have claimed in a lawsuit against Barbie-manufacturer Mattel. “It’s interactive, so if someone hacks into the server they could technically take over and ask questions like ‘Where do you live?’ or ‘Is anybody home?’” lawyer Michael Kelly told The Daily Beast this month. “You’re not dealing with competent adults, you’re dealing with vulnerable little kids.” An attack on toy manufacturer VTech in November exposed even more users’ information, leaking photos, chat logs, and personal information for nearly 5 million parents and children.

Here you can write a commentary on the recording "Sanrio probes reported ‘Hello Kitty’ hack exposing 3.3 million users".

* Required fields
All the reviews are moderated.
Our partners
Follow us
Contact us
Our contacts

ICQ: 423360519

About this site