Hello Kitty fans' data was at risk of hacking

SINGAPORE • More than three million accounts of Hello Kitty fans were left vulnerable to theft by hackers, but there is no evidence any data has been stolen, the Hong Kong-based company hosting the data said.

A spokesman for Sanrio Digital, part-owned by Sanrio, the Japanese owner of the Hello Kitty brand, said yesterday it had fixed the hole after being notified by security researcher Chris Vickery that personal information of its users was accessible.

Mr Vickery told Reuters by e-mail that the company had plugged the holes he found in three servers. But he said the database had been exposed for nearly a month, meaning that anyone who knew its Internet address could have accessed it.

"It would have been extremely easy for a bad guy to take the data," he said. "Extremely easy. Almost as easy as downloading a Web page."

Sanrio Digital said in a statement that "at this time we have no indication that any personal information was stolen".

The spokesman said 3.3 million accounts had been vulnerable, including the names, ages and gender of fans. He said that the accounts all belonged to users of the SanrioTown.com website, a community for fans of Hello Kitty.

No credit card or other payment information was included in the vulnerable data, and passwords "were securely encrypted", according to the statement.

News of the hole in the Sanrio Digital-hosted site follows last month's breach of another Hong Kong company, electronic toymaker VTech Holdings. Millions of records of parents and children were compromised.

In that case, the hacker who found the vulnerability stole the data but shared some of it with a researcher and was reported as saying he had no plans to sell it. The British police arrested a 21-year-old man last week in connection with the hack.

United States-based Mr Vickery, who explores security vulnerabilities in his spare time and reports them to the affected companies, said the hole in the Hello Kitty site was the result of a simple misconfiguration of a database, leaving it open to public access without a password or authentication.

He said he had found thousands of similar vulnerabilities simply by searching an online database of connected devices.

Sanrio is best known for its Hello Kitty character which emblazons items ranging from stationery to clothing. Sanrio Digital is 70 per cent owned by Hong Kong games company Typhoon Games, with the rest held by Sanrio Wave Hong Kong, a unit of Sanrio.

A spokesman for Sanrio in Tokyo said the Hong Kong website had no connection to a Sanrio shareholder database, which leaked data earlier this year through a security hole in a system managed by a shareholder service company.


A version of this article appeared in the print edition of The Straits Times on December 23, 2015, with the headline 'Hello Kitty fans' data was at risk of hacking'. Print Edition | Subscribe