Stolen details of 3.3m Hello Kitty fans – including kids – published online

Remember that 3.3 million database of Hello Kitty fans that got exposed about a year ago? Make that exposed, stolen and published online one year later.

In December 2015, Sanrio – the company behind the database, the Hello Kitty brand and a host of related portals – insisted that nobody touched the database except the security researcher who found the unsecured MongoDB database in the first place.

That would be MacKeeper’s Chris Vickery, who has used the Shodan search engine to hunt down a dizzying array of unsecured MongoDB instances published online. Those include Hzone, a dating app for HIV-positive people that was likewise found to be leaking sensitive user data; OkHello, a video chat app; Slingo, an online gaming site; iFit, a fitness app; Vixlet, a social network; and California Virtual Academies, an online school network.

Three days after Vickery found the leaking Hello Kitty database just before Christmas 2015, Sanrio said the security hole had been fixed, that the glitch was probably due to maintenance conducted a few weeks earlier, and that new security measures had been put in place.

From the statement:

In addition, new security measures have been applied on the server(s); and we are conducting an internal investigation and security review into this incident. To the Company’s current knowledge, no data was stolen or exposed.

But on Sunday, a copy of that database was found on the LeakedSource index, according to Steve Ragan from CSO’s Salted Hash site.

We don’t know when it was copied, but we do know that the exposure of 3.3 million records from sanriotown.com puts many people at risk, including 186,261 Hello Kitty fans who are younger than 18.

Ragan says he compared the LeakedSource records with the screenshots Vickery shared in 2015 and found that the field names are a match: for example, both data sets use fields labelled “_createdFrom” field, “dateOfBirth”, “gender”, “firstName”, “lastName”, etc.

One important, disconcerting difference that points to the database having been groomed for criminal intent: the LeakedSource records have been stripped of anything but personal details. All other data has been removed.

Vickery said in 2015 that the breached data included full names, birthdates that were encoded but easily reversible, gender, country of origin, email addresses, unsalted SHA-1 password hashes, and password reset questions and answers.

The LeakedSource data has all that, and more. Ragan reports that there’s a new field in the LeakedSource records that’s labelled “incomeRange” and that shows values running from 0 to 150. He said that it’s unclear what those values represent, but not every record has them.

When he initially discovered the database leak in 2015, Vickery said that accounts registered at these portals were involved in the breach: hellokitty.com; hellokitty.com.sg; hellokitty.com.my; hellokitty.in.th; and mymelody.com.

He also said that beyond the main sanriotown database, he found two additional backup servers containing mirrored data, with the earliest logged exposure dating to November 22: two days after the date Sanrio had cited for the maintenance work that it suspected of having caused the leak.

To help prevent identity theft, Sanrio in 2015 urged users to change their passwords and security Q&As and to make sure they didn’t reuse passwords between sites.

We don’t know how many children or other users followed that advice, nor how many have been victimized during the 14-odd months the data has been readily available to fraudsters, but we do know it’s still sound advice.

Always use a unique, strong password for every site or service. Here’s an article that explains why that’s so important, and here’s another that walks you through creating a proper password.