Stolen Hello Kitty Database Published Online

Popular articles

11 / 01 / 2017

Stolen Hello Kitty Database Published Online

More than a year ago the database of Hello Kitty fans has been publicly exposed online. An unprotected database was discovered by the MacKeeper security researcher Chris Vickery who found more than 3.3 million accounts by using the Shodan search engine.

In December 2015, the database was secured and Sanrio, the company behind the Hello Kitty brand, announced that the user accounts were protected and nobody touched the database except Chris Vickery, who had found the database in the first place.

Here is the quote from Sanrio official statement:

“In addition, new security measures have been applied on the server(s); and we are conducting an internal investigation and security review into this incident. To the Company’s current knowledge, no data was stolen or exposed.”

Steve Ragan, security reporter of CSO’s Salted Hash site, stated that the copy of 3.3 million accounts pertaining to the Hello Kitty database were found on the LeakedSource index. At the moment no one knows when and how this data was copied. The Sanrio company investigates the leakage and asks the users to update passwords and security Q&As, just as last year right after the breach.

According to Ragan, after he made a comparison between the database found by Vickery and the database found on LeakedSource, most fields and names were a match: “_createdFrom” field, “dateOfBirth”, “gender”, “firstName”, “lastName”, etc.

As Chris Vickery said, the database that was found last year included full names, birthdates, gender, country, email addresses, plain text passwords, and password reset questions and answers.

Plain text passwords represent a real threat, as they may be used as a master key to other user accounts. The main part of Sanrio fans are under 18, and they may use a single password for all existing accounts.

Previously, Sanrio advised its users to follow security instructions, but at the moment it’s unknown how many users followed security advices and secured their accounts.

MacKeeper strongly recommends that you follow the standard security advice if your account is listed in a compromised database:

  • Update password and security Q&A of your Sanrio account.

  • Change your passwords and security Q&A for any other accounts where you used the information that was same or similar to your Sanrio account information.

  • Review all of your accounts for suspicious activity.