Sanrio, the company behind the popular Hello Kitty brand, says that it has fixed the leak that compromised the data of 3.3 million customers.
Security Researcher Chris Vickery told the Salted Hash blog Saturday that he discovered a database for SanrioTown.com that houses 3.3 million customer accounts and has ties to a number of Hello Kitty portals.
SanrioTown.com is an online community for Hello Kitty enthusiasts around the world operated by Hong Kong-based Sanrio Digital. The site lets users play games, watch videos and keep up with news on their favorite cute character.
In a statement released late Tuesday, Sanrio Digital confirmed that personal information belonging to members of SanrioTown.com was subject to a security vulnerability. “Sanrio Digital has investigated the problem and the vulnerability has been corrected,” it said. “In addition, new security measures have been applied on the server(s); and we are conducting an internal investigation and security review into this incident. To the Company’s current knowledge, no data was stolen or exposed.”
However, Vickery disputed Sanrio's claim that information was not accessed, since he used multiple IP addresses himself to access data and confirm the vulnerability. He also believes Sanrio would have discovered the problem easily had it paid attention to its security practices.
Sanrio noted that personal information such as names, date of birth, gender, and other information belonging to SanrioTown.com members was accessible if the address of the vulnerable servers was known. “The vulnerable data did not include credit card information or other payment information and passwords were securely encrypted,” it said.
The company added that membership data of SanrioTown is not shared between related Sanrio services, such as Sanrio.com, hellokitty.com and mymelody.com, noting that other Sanrio services were not affected by the vulnerability.
SanrioTown.com’s members include 186,261 minors, said Mark Leeper, whose public relations firm is representing Sanrio Digital.
The security of minors’ data has been in the spotlight recently. The personal information of more than 11.2 million people – including almost 6.4 million children, was exposed last month following a hack of the electronic toy maker VTech.
Sol Cates, chief security officer of data security specialist Vormetric told FoxNews.com that Hello Kitty’s problems underline the importance of tightly encrypted data. “Given that many organizations have not adjusted their cybersecurity stance to take into account today’s multi-level attacks, the Hello Kitty breach highlights yet again that organizations should be focusing on making sure sensitive data remains protected,” he explained, in an emailed statement. “Leveraging strong encryption with access control is critical to achieving this.”
The Associated Press contributed to this report.
Follow James Rogers on Twitter @jamesjrogers