‘Hello Kitty’ fan site exposed, but web host says no data stolen

Security researcher says database was exposed for nearly a month

Sanrio Digital, part-owned by Sanrio Co Ltd , the Japanese owner of the Hello Kitty brand, said it had fixed a security flaw that could have exposed details of up to 3 million members of its fan site.   Photograph: Junko Kimura/Bloomberg
Sanrio Digital, part-owned by Sanrio Co Ltd , the Japanese owner of the Hello Kitty brand, said it had fixed a security flaw that could have exposed details of up to 3 million members of its fan site. Photograph: Junko Kimura/Bloomberg

More than 3 million accounts of Hello Kitty fans were left vulnerable to theft by hackers, but there is no evidence any data has been stolen, the Hong Kong-based company hosting the data said.

A spokesman for Sanrio Digital, part-owned by Sanrio Co Ltd , the Japanese owner of the Hello Kitty brand, said it had fixed the hole after being notified by security researcher Chris Vickery that personal information of its users was accessible.

Mr Vickery told Reuters by e-mail that the company had plugged the holes he had found in three servers. But he said the database had been exposed for nearly a month, meaning that anyone who knew its internet address could have accessed it.

“It would have been extremely easy for a bad guy to take the data,” he said. “Extremely easy. Almost as easy as downloading a web page.”

READ MORE

Sanrio Digital said in a statement that “at this time we have no indication that any personal information was stolen.”

The spokesman said 3.3 million accounts had been vulnerable, including the names, ages and gender of fans. He said that the accounts all belonged to users of the SanrioTown.com website, a community for fans of Hello Kitty.

No credit card or other payment information was included in the vulnerable data, and passwords “were securely encrypted,” according to the statement.

The spokesman said while the company technically doesn’t allow minors to sign up, this was implemented through an honour system, meaning that those younger than 13 could register by lying about their age.

News of the hole in the Sanrio Digital-hosted site follows last month’s breach of another Hong Kong company, electronic toymaker VTech Holdings Ltd. Millions of records of parents and children were compromised.

In that case the hacker who found the vulnerability stole the data but shared some of it with a researcher and was reported as saying he had no plans to sell it. UK police arrested a 21-year old man last week in connection with the hack.

U.S.-based Vickery, who explores security vulnerabilities in his spare time and reports them to the affected companies, said the hole in the Hello Kitty site was the result of a simple misconfiguration of a database, leaving it open to public access without a password or authentication.

He said he had found thousands of similar vulnerabilities simply by searching an online database of connected devices.

Sanrio Co is best known for its Hello Kitty character which emblazons items ranging from stationery to clothing. Sanrio Digital is 70 per cent owned by Hong Kong games company Typhoon Games Ltd, with the rest held by Sanrio Wave Hong Kong Co, a unit of Sanrio Co.

A spokesman for Sanrio in Tokyo said that the Hong Kong website had no connection to a Sanrio shareholder database, which leaked data earlier this year through a security hole in a system managed by a shareholder service company.

Reuters