A database for sanriotown.com, the official online community for Hello Kitty and other Sanrio characters, has been discovered online by researcher Chris Vickery. The database houses 3.3 million accounts and has ties to a number of other Hello Kitty portals.
Vickery contacted Salted Hash and Databreaches.net about the leaked data Saturday evening.
The records exposed include first and last names, birthday (encoded, but easily reversible Vickery said), gender, country of origin, email addresses, unsalted SHA-1 password hashes, password hint questions, their corresponding answers, and other data points that appear to be website related.
Vickery also noted that accounts registered through the fan portals of the following websites were also impacted by this leak: hellokitty.com; hellokitty.com.sg; hellokitty.com.my; hellokitty.in.th; and mymelody.com.
In addition to the primary Sanriotown database, two additional backup servers containing mirrored data were also discovered. The earliest logged exposure of this data is November 22, 2015.
In order to prevent identification of the database, Salted Hash is withholding screenshots of the data, IP information, DNS data, and other identifying markers.
Sanrio, as well as the ISP being used to host the database itself, have all been notified. An automated email from the ISP confirmed that the incident notification was logged, but no further details are available.
The Hello Kitty brand is highly popular the world over, to kids and adults, so the immediate concern is that the database might contain the personal information of children.
Steve Ragan, IDG News Service
Subscribers 0
Fans 0
Followers 0
Followers