Hello Kitty Database Hacked, 3.3 Million Users’ Data Exposed

A database belonging to Sanrio, the Japan-based owner of the popular Hello Kitty brand was breached. The leak potentially puts 3.3 million users’ personal data at risk.

Sanriotown.com, the official online community for Hello Kitty and other characters under Sanrio has had its database discovered online by an independent security researcher. As it turns out, the database contains nearly 3.3 million account details, all of which are a part of the leak.

The exposed data includes:

  • First and last names
  • Birthdays
  • Gender
  • Country of Origin
  • Email addresses
  • Unsalted SHA-1 password hashes
  • Security questions and answers

The independent researcher reached out to CSOonline to spread the news in the public realm. Chris Vickery, the researcher who discovered the database also identified two additional backup servers that contained mirrored data, while the earliest logged exposure of the data goes back to November 22, 2015.

In order to protect the identities of the victims, CSOonline hasn’t revealed any screenshots of the data, DNS data, IP records or other markers that would readily identify the 3.3 million records.

Vickery also claimed that accounts registered in the following websites were also impacted by the data breach. The websites include: hellokitty.com, hellokitty.com.sg, hellokitty.com.my, hellokitty.in.th, and mymelody.com.

The breach draws parallels with the recent infamous VTech hack that exposed the records of nearly 12 million people, out of which 6 million were children. Since the Hello Kitty brand is popular all around the world with both kids and adults, it is possible that the breached data includes leaked information of children.

Furthermore, it’s important to note that the passwords were in fact hashed, making them harder to crack.

In the meantime, if you or your child are currently or were previously registered on sanriotown.com with security questions and passwords overlapping with other websites, change them immediately. The same applies for username and passwords, if they’re similar across different websites that you frequent.

As bad as identity theft is among adults, it could be a lot worse with children as the fraud might remain undetected for years as parents aren’t likely to check the credit history of their children.

For more information on Identity theft, click here.