The Great Hello Kitty Hack of 2015
‘Hello Kitty’ Fan Database Leak Exposes 3.3 Million Users: Researcher.
Researcher Chris Vickery told the Salted Hash blog on Saturday that he discovered a database for Sanriotown.com that houses 3.3 million customer accounts and has ties to a number of Hello Kitty portals. Over 3 million Hello Kitty fans have their information exposed in a hack that could leave identities—and passwords—of kids and their parents vulnerable to cyber attacks.
The records include first and last names, birthday, gender, country of origin, email addresses, password hint questions and their corresponding answers, according to the report. “Hashed” passwords, which use an algorithm to protect the password, were also reportedly exposed. Electronic toymaker VTech Holdings Ltd said in November that it was the victim of a cyber attack that compromised information about customers who access a portal for downloading children’s games, books and other educational content. Sanrio told FoxNews.com that the alleged security breach is under investigation. “Information will be made available once confirmed,” it added, in an emailed statement.
Vickery said that accounts registered through the fan portals of hellokitty.com, hellokitty.com.sg, hellokitty.com.my, hellokitty.in.th and mymelody.com were impacted by the leak. The breached data included full names, encoded by decipherable birth dates, email addresses, and encrypted passwords, along with password reset questions and answers.1 It’s not clear if the site’s breached data contained any financial information, or how it was leaked. The database also included passwords, which were saved as “unsalted SHA-1 password hashes,” an encryption form that stores passwords as series of scrambled letters and numbers. The personal information of more than 11.2 million people – including almost 6.4 million children, was exposed recently following a hack of the electronic toy maker VTech.
Sanriotown.com, run by Hong-Kong-based Sanrio Digital, hosts games and community forums related to Sanrio brands, so kids’ personal details may have been caught up in the leaked data. Experts say that parents must pay careful attention to how personal data is handled. “In addition to evaluating toys, apps, and websites for their entertainment and educational value, parents must also look at the security risks associated with such activity and demand that companies provide details about the data they collect, how it is used, who has access to it, and how it is secured,” said Suni Munshani, CEO of data security specialist Protegrity, in a statement emailed to FoxNews.com. That would make the Sanrio breach the second in just the last month to demonstrate the vulnerability of children to the same sort of data breaches that usually affect adults. Children, who are likely to use SanrioTown and unlikely to invest much effort into hack-resistant passwords, are particularly susceptible to this kind of attack.
That breach, which was pulled off by a hacker who told news site Motherboard that he or she merely wished to demonstrate Vtech’s insecurity, went beyond mere usernames and passwords to include photos and videos to include childrens’ photos and chatlogs. Approximately 55 percent of adults use the same password for most of their online profiles, a 2013 study by a U.K.-based communications watchdog found. But cautious users of the company’s sites, young or old, should reset their passwords—whether or not Sanrio itself acknowledges the breach and requires that reset.
Salted Hash, the securities blog that first reported the SanrioTown leak is advising users to change their passwords and security questions on other websites, especially on online banking sites and social media platforms that contain personal information. Vickery says that the leaked passwords were encrypted with SHA-1 hashing, but not “salted” with random data, an additional step to strengthen that encryption. That oversight, along with what Vickery describes as password reset information included in the breach, means the passwords should be considered compromised. Beyond the risk of a compromised HelloKitty.com account, the Sanrio and Vtech breaches both serve as reminders that minors today can also be victimized by data breaches, particularly as their online footprints grow to match those of adults.
Weak security and young users could make Hello Barbie a child predator’s favorite toy, two parents have claimed in a lawsuit against Barbie-manufacturer Mattel. “It’s interactive, so if someone hacks into the server they could technically take over and ask questions like ‘Where do you live?’ or ‘Is anybody home?’” lawyer Michael Kelly told the Daily Beast earlier this month. “You’re not dealing with competent adults, you’re dealing with vulnerable little kids.” An attack on toy manufacturer VTech in November exposed even more users’ information, leaking photos, chat logs, and personal information for nearly five-million parents and children.
Share this article:
Other articles of the category "Android":
Feds require consumer warnings about older Java so...
BMW and Nissan roll out dual-plug EV chargers acro...
Oracle settles charges that it misled you on Java ...
Fallout 4 Addiction: Man Loses Job And Wife, Sues ...
Fallout 4 Addiction: Man Loses Job And Wife, Sues ...
Tesla Cars Will Get Free Spotify Premium&...
Microsoft pulls “Hey Cortana” feature ...
Microsoft disables Cortana for Android voice featu...