Hello Kitty, and hello to the leaked details of 3.3 million of the cartoon’s fans.
Over the weekend, security researcher Chris Vickery told CSO’s Salted Hash security blog that he’d discovered a database for the official online community of sanriotown.com, home to Sanrio’s Hello Kitty and her many pals.
Vickery said that the breached data included full names, birth dates that were encoded but easily reversible, gender, country of origin, email addresses, unsalted SHA-1 password hashes, and password reset questions and answers.
The exposed database houses 3.3 million accounts and has ties to a number of other Hello Kitty portals.
Accounts registered at these portals are also involved in the breach: hellokitty.com; hellokitty.com.sg; hellokitty.com.my; hellokitty.in.th; and mymelody.com.
Beyond the main sanriotown database, Vickery also found two additional backup servers containing mirrored data, with the earliest logged exposure dating to 22 November.
Vickery said that he’s notified both Sanrio and the ISP on whose servers the database was hosted.
Hello Kitty is wildly popular, both with children and adults.
She’s a minimalist white creature (Hello Kitty is not a cat, Sanrio will tell you: she’s actually a London schoolgirl who herself owns a cat) that was originally marketed at pre-adolescent girls.
But at this point, Hello Kitty also has a sizable adult following in the subculture of kawaii – those who adore all things cute and Japanese.
The Hello Kitty breach is the second in a matter of weeks that’s involved the data of children.
At the end of November, electronic toy vendor VTech was breached, with the tally including names, email addresses, passwords, and home addresses of 4,833,678 parents, and the first names, genders and birth dates of more than 200,000 children.
As if that wasn’t bad enough, the breach also included thousands of pictures of parents and kids, a year’s worth of chat logs stored online in a way that was reportedly easy to hack, as well as audio recordings, some of kids’ voices.
Chris Vickery, for his part, has been hella busy.
Last week, he discovered that Mac cleaning/performance-boosting/security-enhancing app MacKeeper is actually failing to keep 13 million Macs safe.
MacKeeper, found to be publicly exposing 13,000,000 customer records, runs on database software called MongoDB.
So too does Hzone, a dating app for HIV-positive people that was likewise found to be leaking sensitive user data, Vickery went on to disclose last week.
According to Softpedia, Vickery also reported data breaches for OkHello, a video chat app; Slingo, an online gaming site; iFit, a fitness app; Vixlet, a social network; and California Virtual Academies, an online school network.
MongoDB databases were blamed for all the breaches.
It’s unclear if the Hello Kitty database was also MongoDB.
But Vickery told Forbes on Monday that he’s found yet another MongoDB leak that also involves children’s details: this one’s reportedly at the Major League Baseball (MLB) Digital Academy site, where Little League kids can compare their swings and match data with the pros.
Vickery told Forbes that a mix of 20,000 accounts of parents and children were in the database he uncovered.
He’s apparently finding all these MongoDB databases by doing searches using a tool called Shodan, a search engine for internet-connected devices.
Soon after Vickery’s string of findings, Shodan founder Chris Matherly reported that there are currently 35,000 improperly configured MongoDB databases, leaking about 649 TB of data.
But back to Hello Kitty: just as with the VTech breach, those with registered accounts on the Sanrio sites should change their passwords immediately.
That goes for children too.
If those same passwords have been used on other sites, make sure to change them wherever else they’re used.
Also change any password-reset question and answer pairs that are reused elsewhere.
Remember: use a unique, strong password for every site or service.