Data Breach on Hello Kitty Servers, Over 3.3 Million Accounts Exposed

Share this…

After VTech, another kids service suffers a data breach.Personal details on 3.3 million accounts of Hello Kitty fans are available online, most of which are probably belonging to children, as the researcher that uncovered the breach told Salted Hash.

Chris Vickery discovered that the database was easily accessible online. This database contained aggregated information on users from various Hello Kitty-themed websites such as,,,,, and

The data included information like the user’s real name, email address, account password, gender, birthday, country of origin, password hints, and their answers. Other account was also included but was related to each website and its scope. Out of the exposed data, the birthday details were encoded, and the password string was hashed and stored in MD5 form (easy to crack).

The researcher says it notified both Sanrio, owner of the affected website and Hello Kitty brand, but also the ISP on whose servers the database was hosted.

Because the breach was reported over the weekend and there appears to be no answer from both companies, Vickery refrained from releasing any details that may help others compromise the servers.

Data Breach on Hello Kitty Servers, Over 3.3 Million Accounts Exposed

Vickery exposed data breaches for over 20 million accounts in the past week

Earlier this week, Vickery was on a rampage, reporting data breaches for companies and services like MacKeeper, security vendor for Macs (13 million accounts); OkHello, video chat app (2.6 million accounts); Slingo, online gaming site (2.5 million accounts); iFit, fitness app (576,000 accounts); Vixlet, social network (377,000 accounts); California Virtual Academies, online school network (74,000 accounts); and Hzone, dating app for HIV patients (5,027 accounts).

In all those cases, faulty MongoDB setups were to blame for all the breaches. Soon after Chris Vickery’s revelations, Chris Matherly, owner of Shodan, a search engine for Internet-connected devices, put out a report showing that two years after his initial research, there were still 35,000 improperly configured MongoDB database, leaking over 650 TB of data.

The following day, Mr. Matherly also released another report showing that over 130,000 Memcached servers and over 42,000 Redis database servers were vulnerable in the same way.

Three weeks ago, VTech, a Chinese toy maker also suffered a data breach via one of its online portals. Data on 4.8 million parent records and 6.7 million was leaked in that incident. This week, UK police arrested a suspect in that incident.