A database containing information of some 3.3 million registered users of “Hello Kitty” and other Hello Kitty-related websites including hellokitty.com; hellokitty.com.sg; hellokitty.com.my; hellokitty.in.th; and mymelody.com was discovered by online, unguarded, by researcher Chris Vickery. He reported his findings late evening on Dec. 19 to two websites that report alleged breaches to the public. There are indications that hackers may have been combing through the databases for more than a month.
The exposed records include first and last names, birthday (encoded, but easily reversible Vickery said), gender, country of origin, email addresses, unsalted SHA-1 password hashes (easily reconstructed), password hint questions, their corresponding answers, and other data points that appear to be website related. In addition to the primary sanriotown database, two additional backup servers containing mirrored data were also discovered. The earliest logged exposure of this data is November 22, 2015.
The parent company of the site, Sanrio, is not confirming the alleged breach, how many minors might be compromised, or any details about an investigation into the breach. It is only stating that it is investigating. In addition to the Hello Kitty products it has cultivated an active interactive social community for its fans. It includes game and other activities attractive to children.
Jay Foley of ID Theft Info Source urged anyone who registered with Happy Kitty or the related websites to immediately change the passwords used to register as well as your answers to security questions. “Answers should not be information that can be found anywhere in social media. For instance, when the question asks, ‘Your father’s name,’ you might want to use a word that is unrelated such as ‘allergy.’
“Additionally you need to have a serious discussion with children and teens about responding to any social media request from people they don’t know. ‘Stranger danger’ takes on a new meaning in the world of social media. That includes opening email messages, texts, attachments, Facebook messages or friend requests. They should understand not to post anything on a social media website, tweet or snap that they would not want put on a billboard along the street including financial account numbers, home addresses, passwords, and private family matters. Be specific. The Federal Trade Commission has a number of games that help to teach what not to share.
This is the second time Sanrio has had to deal with a database leaking information. Earlier this year, the company investigated a database leak that exposed information on more than 6,000 shareholders.