3.3 million Hello Kitty fans exposed in database leak

December 22nd, 2015 by Mark Daly in Industry News No Comments »
3.3 million Hello Kitty fans exposed in database leak ilicomm Technology Solutions

Hello Kitty, and hello to the leaked details of 3.3 million of the cartoon’s fans.

Over the weekend, security researcher Chris Vickery told CSO’s Salted Hash security blog that he’d discovered a database for the official online community of, home to Sanrio’s Hello Kitty and her many pals.

Vickery said that the breached data included full names, birth dates that were encoded but easily reversible, gender, country of origin, email addresses, unsalted SHA-1 password hashes, and password reset questions and answers.

The exposed database houses 3.3 million accounts and has ties to a number of other Hello Kitty portals.

Accounts registered at these portals are also involved in the breach:;;;; and

Beyond the main sanriotown database, Vickery also found two additional backup servers containing mirrored data, with the earliest logged exposure dating to 22 November.

Vickery said that he’s notified both Sanrio and the ISP on whose servers the database was hosted.

Hello Kitty is wildly popular, both with children and adults.

She’s a minimalist white creature (Hello Kitty is not a cat, Sanrio will tell you: she’s actually a London schoolgirl who herself owns a cat) that was originally marketed at pre-adolescent girls.

But at this point, Hello Kitty also has a sizable adult following in the subculture of kawaii – those who adore all things cute and Japanese.

The Hello Kitty breach is the second in a matter of weeks that’s involved the data of children.

At the end of November, electronic toy vendor VTech was breached, with the tally including names, email addresses, passwords, and home addresses of 4,833,678 parents, and the first names, genders and birth dates of more than 200,000 children.

As if that wasn’t bad enough, the breach also included thousands of pictures of parents and kids, a year’s worth of chat logs stored online in a way that was reportedly easy to hack, as well as audio recordings, some of kids’ voices.

Chris Vickery, for his part, has been hella busy.

Last week, he discovered that Mac cleaning/performance-boosting/security-enhancing appMacKeeper is actually failing to keep 13 million Macs safe.

MacKeeper, found to be publicly exposing 13,000,000 customer records, runs on database software called MongoDB.

So too does Hzone, a dating app for HIV-positive people that was likewise found to be leaking sensitive user data, Vickery went on to disclose last week.

According to Softpedia, Vickery also reported data breaches for OkHello, a video chat app; Slingo, an online gaming site; iFit, a fitness app; Vixlet, a social network; and California Virtual Academies, an online school network.

MongoDB databases were blamed for all the breaches.

It’s unclear if the Hello Kitty database was also MongoDB.

But Vickery told Forbes on Monday that he’s found yet another MongoDB leak that also involves children’s details: this one’s reportedly at the Major League Baseball (MLB) Digital Academy site, where Little League kids can compare their swings and match data with the pros.

Vickery told Forbes that a mix of 20,000 accounts of parents and children were in the database he uncovered.

He’s apparently finding all these MongoDB databases by doing searches using a tool called Shodan, a search engine for internet-connected devices.

Soon after Vickery’s string of findings, Shodan founder Chris Matherly reported that there are currently 35,000 improperly configured MongoDB databases, leaking about 649 TB of data.

But back to Hello Kitty: just as with the VTech breach, those with registered accounts on the Sanrio sites should change their passwords immediately.

That goes for children too.

If those same passwords have been used on other sites, make sure to change them wherever else they’re used.

Also change any password-reset question and answer pairs that are reused elsewhere.

Remember: use a unique, strong password for every site or service.

Leave a Reply

You must be logged in to post a comment.

NEED MORE INFORMATION?Contact us to see how we can help your business

Call our Sales Team on:

+44 (0)121 289 3434

or email us at: