Industry News

Millions of Hello Kitty fans have their data exposed online

If you’re a lover of Hello Kitty, My Melody, and (my favourite) Keroppi the frog then you might want to rub the cuteness out of your eyes, and wake up to the real world of information security.

Fresh on the heels of revealing that 13 million MacKeeper customers had had their sensitive account details left lying around on a publicly accessible database, researcher Chris Vickery had discovered a database containing the details of some 3.3 million users of the Sanrio Town online community.

Sanrio, of course, is the Japanese company that for decades has been looks after the multitude of products that bear the Hello Kitty and Friends cartoon brands.

As CSO reports, Vickery discovered the database dumb containing a wealth of information about members:

The records exposed include first and last names, birthday (encoded, but easily reversible Vickery said), gender, country of origin, email addresses, unsalted SHA-1 password hashes, password hint questions, their corresponding answers, and other data points that appear to be website related.

Vickery also noted that accounts registered through the fan portals of the following websites were also impacted by this leak: hellokitty.com; hellokitty.com.sg; hellokitty.com.my; hellokitty.in.th; and mymelody.com.

The security breach comes shortly after electronic learning toy manufacturer VTech was hacked, revealing the personal details of millions of families and their children.

Understandably there will be concern that not only has Sanrio’s database been exposed, but also that it may contain the personal information of children.

Therefore, it is especially important that steps are taken to limit the potential impact of the security breach.

Although users’ passwords appear to have been hashed, there remains the potential for hackers to crack them – especially if weak passwords were chosen.

Therefore, the first step is to ensure that the password you or your children are using on Sanrio’s websites is not being reused on any other online account. After all, if a hacker has managed to access the Hello Kitty database, you wouldn’t want those details to be used in an attempt to break into other accounts – such as your webmail or banking sites.

If you do find that passwords are being reused, change them immediately – for a password that is hard to crack and impossible to guess. It’s the twenty-first century, stop choosing passwords like it’s 1987.

As a rule you shouldn’t ever reuse your passwords. If you – quite understandably – find it hard to remember unique and complex passwords for each website you access, invest in a decent password management tool.

In addition, where websites give you the option of using two-factor authentication (2FA) for an additional layer of security, be sure to enable it. Yes, 2FA can be a minor pain, but it is a lot less of a hardship than trying to recover a hacked account.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

2 Comments

Click here to post a comment

Your email address will not be published. Required fields are marked *