Details on 3.3 million users of SanrioTown, Sanrio’s official website for Hello Kitty and other characters, have been leaked online following what appears to be a breach of the website’s database, according to a security researcher.
Sanrio’s products are popular with children, meaning it is likely children’s details are included in the database, although Sanrio did not immediately respond to a request to confirm this.
The records include names, birth dates, gender, country of origin, email address, lightly protected passwords, and password hint questions and answers, according to Vickery.
He said the passwords were stored as hashes using SHA-1 encryption, which is considered relatively easy to reverse. The hashes didn’t include “salts” of random data, a way of improving protection, Vickery said.
The inclusion of password recovery data means the passwords should be considered as compromised, according to security experts, who advised users to reset their passwords and to change passwords that might have been reused on other sites.
The database also included the details of users who registered on a number of other Sanrio websites, including hellokitty.com and mymelody.com.
Sanrio said it is looking into the incident.
“The alleged security breach of the SanrioTown site is currently under investigation,” the company said in a statement. “Information will be made available once confirmed.”
SanrioTown is operated by Hong Kong-based Sanrio Digital and hosts games and community forums related to Sanrio products.
Such data can be used in identity theft, according to industry observers.
Earlier this year Sanrio confirmed a database leak that exposed information on more than 6,000 of its shareholders.
Are you a security pro? Try our quiz!
A new low. International Committee of the Red Cross shuts down reunification system, after hackers…