A security researcher claims to have discovered a leaked database for SanrioTown.com, the Hello Kitty official online community, which contained the information of 3.3 million accounts.
Independent security researcher Chris Vickery said the data contained user first and last names, genders, countries of origin, email addresses, forgotten password questions and answers, weakly encoded birthdays and unsalted SHA-1 password hashes, according to the security news site Salted Hash. Two additional backup servers containing mirrored data were also discovered, the report said.
Accounts registered to hellokitty.com; hellokitty.com.sg; hellokitty.com.my; hellokitty.in.th; and mymelody.com were also compromised as well. SanrioTown said it complies with internationally recognized standards of personal data and privacy protection in its privacy policy.
SanrioTown.com has not officially addressed allegations of the leak and has yet to respond to SCMagazine.com's request for comment.
This is the second major breach affecting a children's product within a month following the VTech breach that impacted nearly six million accounts.
Update: Sanrio acknowledged the company's data was accessible to those who knew the address of the vulnerable servers but said, to its knowledge, "no data was stolen or exposed." in a Dec. 22, 2015 company blog post.
