3.3 million Hello Kitty website accounts leaked

Last week, security researcher Chris Vickery discovered a database containing 3.3 million accounts from Sanriotown, a commercial Hello Kitty fansite operated by Sanrio, Hello Kitty's corporate owners.

The leak includes names, dates of birth, easily decrypted (unsalted) passwords, country of origin, email addresses and password hints. The leak includes accounts from several Sanriotown subsites, including hellokitty.com; hellokitty.com.sg; hellokitty.com.my; hellokitty.in.th; and mymelody.com. It appears that Vickery was the only person who accessed this database (which was hosted on Sanrio's servers and accessible to anyone due to a configuration error) and he has notified Sanrio, who have corrected the configuration and closed off the database.

Sanrio itself leaked 6,000 shareholders' data earlier this year. Earlier this month, Hong Kong crapgadget kingpins Vtech leaked 4.3 million families' data.

As with Vtech, Sanrio had skipped some of the elementary steps in securing its users' data: neither company had "salted the hash" of the passwords they stored, a cheap and simple way to make leaked passwords nearly useless to attackers.

In an email to Salted Hash on Tuesday, Sanrio confirmed the exposed Hello Kitty database contained information on 186,261 minors, or those under the age of 18.

That's the bad news.

The good news is that, as mentioned yesterday, the leaked databases have been secured and the company's investigation so far shows that Vickery was the only person to have accessed the data.

Sanrio says the investigation is ongoing, so SanrioTown.com users are being encouraged to change their passwords, especially if they share those passwords with any other website. In addition the email says that it's "possible (but not yet certain) that maintenance conducted on November 20th resulted in the database becoming accessible."

Database leak exposes 3.3 million Hello Kitty fans
[Steve Ragan/Salted Hash]

(via Beyond the Beyond)