Hello Kitty Data Breach Compromises 3.3 Million Accounts
Just when parents might have thought it was safe to go back online, another data breach that affects the user accounts of millions of individuals—mostly children and teens—has taken place.
Sanrio, the Japanese company behind Hello Kitty and all of her cute character friends, was recently informed by a security expert that a database with more than three million user accounts had been leaked online, along with two backup servers that had been mirrored.
The information in the databases included users’ first and last names, birthdays, genders, countries of origin, email addresses, unsalted SHA-1 password hashes, password hint questions and corresponding answers, and other key information that’s relevant to the use of the website.
The affected websites include several different countries’ Hello Kitty sites, as well as sites connected to another Sanrio character, My Melody. While there is an e-commerce aspect to the websites where users can make purchases, it doesn’t appear that any financial information was compromised.
So what do hackers want with this information, if it’s not about the money? That’s hard to tell since there are multiple possibilities. In the case of the very recent VTech breach that affected around 12 million adults and children, the culprit has stated that he did it simply to prove to VTech that its security was useless and that its users were vulnerable. Of course, that’s something he could probably have done without stealing the information and frightening millions of people.
Initially, investigators were worried that the VTech breach had an even more malicious purpose since children’s photos, genders, ages, birth dates, and names were stolen. That information could have been cross-referenced with the parents’ physical addresses—also stolen—and used for unspeakable crimes. Fortunately, the VTech hacker has stated he would never have sold or used children’s information, but only did this to prove a point.
In Sanrio’s case, however, there’s no guess at this point in the investigation. The websites’ users themselves are global, and therefore securing their information and their personal safety will be tough.
Both of these recent events do have a silver lining in that they should serve as a warning to parents about oversharing and about really understanding how your family’s personal information is used online. Especially where children are concerned, there’s very little reason to upload a child’s photograph to a website with millions of users, and even less reason to use a real name, birth date, or other identifying information. The VTech app would have worked just as well with slightly altered data on each child, and parents would have had the peace of mind of knowing the stolen information wasn’t even accurate.