Details on 3.3 million users of SanrioTown, Sanrio’s official website for Hello Kitty and other characters, have been leaked online following what appears to be a breach of the website’s database, according to a security researcher.
Sanrio’s products are popular with children, meaning it is likely children’s details are included in the database, although Sanrio did not immediately respond to a request to confirm this.
The records include names, birth dates, gender, country of origin, email address, lightly protected passwords, and password hint questions and answers, according to Vickery.
He said the passwords were stored as hashes using SHA-1 encryption, which is considered relatively easy to reverse. The hashes didn’t include “salts” of random data, a way of improving protection, Vickery said.
The inclusion of password recovery data means the passwords should be considered as compromised, according to security experts, who advised users to reset their passwords and to change passwords that might have been reused on other sites.
The database also included the details of users who registered on a number of other Sanrio websites, including hellokitty.com and mymelody.com.
Sanrio said it is looking into the incident.
“The alleged security breach of the SanrioTown site is currently under investigation,” the company said in a statement. “Information will be made available once confirmed.”
SanrioTown is operated by Hong Kong-based Sanrio Digital and hosts games and community forums related to Sanrio products.
The breach follows that of toy maker Vtech less than a month ago, which leaked 11 million users’ data, including that of nearly 6.4 million children.
Such data can be used in identity theft, according to industry observers.
Earlier this year Sanrio confirmed a database leak that exposed information on more than 6,000 of its shareholders.
Are you a security pro? Try our quiz!
Venture capital firms participating in $6bn-plus OpenAI funding round betting start-up will be worth trillions,…
Coinbase tells federal appeals court SEC has made it impossible to operate compliant crypto business…
Smartphone maker Xiaomi asks Indian antitrust regulator to recall August report, saying it failed to…
US proposes ban on sale of cars with Russian- or Chinese-made parts, amidst fears of…
Former Apple designer Sir Jony Ive confirms working with OpenAI chief Sam Altman on AI…
Microsoft-owned LinkedIn suspends use of UK user data to train generative AI after concerns expressed…
