More than three million accounts associated with the Hello Kitty brand on SanrioTown.com, HelloKitty.com and MyMelody.com were left vulnerable to data theft, according to a report from CSO Online. Sanrio, the retailer and designer that owns the Hello Kitty brand, said it has since secured the servers.
Online security researcher Chris Vickery uncovered the database vulnerability on Dec. 19, contacting CSO Salted Hash and Databreaches.net. The leaked information included users' first and last names, birthdays, genders, countries of origin, email addresses, password hashes, password hint questions and answers and other data, according to Vickery.
In a statement, Sanrio Digital said, “At this time we have no indication that any personal information was stolen.” Credit card and additional payments information was not included in the leaked data, and user passwords were encrypted.
In addition to the primary SanrioTown database, two additional backup servers containing mirrored data also were discovered. The earliest logged exposure of this data is November 22, 2015.
Vickery, who explores security vulnerabilities in his spare time and reports them to the affected companies, said the hole in the Hello Kitty site was the result of a database misconfiguration, leaving it open to public access without a password or authentication, according to Reuters.
This is the second time Sanrio has had to deal with a database leaking information. Earlier in 2015, the company investigated a database leak that exposed information on more than 6,000 shareholders.
The incident comes on the heels of the data breach of another Hong Kong-based children’s product brand, VTech. That hack exposed personal data, chat logs and photos of as many as 6.3 million people, including 200,000 children. This month, UK police arrested a 21-year-old man in connection with the VTech breach.