SANRIO, THE TOKYO-BASED owner of the Hello Kitty brand, may be Japan’s global purveyor of kitschy cuteness. But the leak of 3.3 million of their website’s registered users’ data isn’t so endearing.
Over the weekend, security researcher Chris Vickery told CSO’s Salted Hash security blog that he’d discovered a leaked database of more than 3.3 million user accounts for Sanriotown.com and other Sanrio-owned websites like hellokitty.com and mymelody.com. The breached data included full names, encoded by decipherable birth dates, email addresses, and encrypted passwords, along with password reset questions and answers.1
It’s not clear if the site’s breached data contained any financial information, or how it was leaked. Vickery didn’t immediately respond to a request for more information. A Sanrio spokesperson wrote to WIRED in a statement that “the alleged security breach of the SanrioTown site is currently under investigation. Information will be made available once confirmed.”2
Given Hello Kitty’s appeal to teens and tweens, Sanrio’s breach raises questions about whether or how many minors’ data might have been caught up in the site’s database dump. Sanriotown.com, run by Hong-Kong-based Sanrio Digital, hosts games and community forums related to Sanrio brands, so kids’ personal details may have been caught up in the leaked data.
That would make the Sanrio breach the second in just the last month to demonstrate the vulnerability of children to the same sort of data breaches that usually affect adults. In late November, a hacker pulled more than 11 million users’ data from the gadget maker Vtech, of which nearly 6.4 million were kids, according to the company. That breach, which was pulled off by a hacker who told news site Motherboard that he or she merely wished to demonstrate Vtech’s insecurity, went beyond mere usernames and passwords to include photos and videos to include childrens’ photos and chatlogs.
How Serious Is This?
Sanrio has yet to confirm the full extent of its data breach. But cautious users of the company’s sites, young or old, should reset their passwords—whether or not Sanrio itself acknowledges the breach and requires that reset. Vickery says that the leaked passwords were encrypted with SHA-1 hashing, but not “salted” with random data, an additional step to strengthen that encryption. That oversight, along with what Vickery describes as password reset information included in the breach, means the passwords should be considered compromised. Anyone who reused the same password between one of the breached sites and other websites should also be careful to change those other sites’ passwords, too.
Beyond the risk of a compromised HelloKitty.com account, the Sanrio and Vtech breaches both serve as reminders that minors today can also be victimized by data breaches, particularly as their online footprints grow to match those of adults. Fraud and identity theft can target children, using their information undetected for years. It’s worth checking on the data security of your kids, too—as if guarding your own personal information weren’t vexing enough.
1Correction 12/21/2015 3:21pm EST: An earlier version of this story confused the games and community site Sanriotown.com with the e-commerce site Sanrio.com.
2Updated 12/21/2015 3:21pm EST with a comment from a Sanrio spokesperson.