Hello Kitty community flaw exposes details of 3.3 million users
22 December 2015 |
Flaws in the database housing details of individuals using the online Hello Kitty community have been discovered, leaving 3.3 million users exposed.
Details of 3.3 million individuals signed up to the online communities for Hello Kitty and other Sanrio characters may be vulnerable to theft, after a researcher found the sites’ databases contained the same flaws as MacKeeper and others.
Records revealed users’ full names, birthdays, genders, countries, email addresses, secret questions and answers and unsalted SHA-1 password hashes.
Despite the birthday data being stored in encoded form, Vickery said that it could easily be reverse engineered to reveal the data.
Storing password hashes in unsalted format also makes them easier to crack with dictionary attacks and computed rainbow table attacks.
Such attacks are often successful at deciphering passwords made up of ordinary or common words, even when combined with random numbers or punctuation marks.
Some sources speculated that childrens’ data is also likely to have been exposed, although as of yet this has not been confirmed.
Researcher Chris Vickery recently discovered that several databases including MacKeeper, iFit, Slingo and Vixlet contained a flaw that left a total of 25 million users’ details exposed.
The vulnerability was later discovered to apply to hundreds of databases improperly installed MongoDB databases.
Vickery has now found that Hello Kitty and Sanrio’s databases are subject to the same vulnerabilities, exposing details of 3.3 million registered adults and children.
Individuals’ details may be vulnerable if they are registered to hellokitty.com, hellokitty.com.sg, hellokitty.com.my, hellokitty.in.th and mymelody.com.
Two backup servers containing mirror data were also discovered to contain the same flaws.
Vickery contacted experts at Databreaches.net and Salted Hash regarding the leaked data on 19 December to verify his findings before informing Sanrio of his findings.
Sanrio issued a brief statement to the media, saying: “The alleged security breach of the SanrioTown site is currently under investigation. Information will be made available once confirmed.”
This is the second time that Sanrio has experienced one of its databases leaking information this year, with a leak earlier in 2015 exposing information of more than 6,000 company shareholders.