Hello Kitty fixes website security flaw
The company said the loophole has been closed and data is now safe
Hello Kitty has released a statement saying it has closed the security hole that leaked the personal details of up to 3.3m children because of a "server misconfiguration."
"We investigated the problem and applied fixes, including securing the servers identified as vulnerable by Mr Vickery," the company said in a statement.
"We are conducting an internal investigation and security review into this incident; at this time we have no indication that users’ personal information was stolen by malicious parties."
The breach was discovered by security researcher Chris Vickery according to the Salted Hash blog and details leaked include the user's real name, email address, account password, gender, birthday, country of origin, password hints, and their answers.
Although birthdays and passwords were encoded, they could easily be decoded by the hackers, meaning the data could be used to infiltrate other accounts held by the victims.
Sanrio added in its statement that credit card and payment information was not made available, hopefully putting some minds at rest.
Gerard Bauer, VP EMEA, Vectra Networks commented: "This provides an attack entry method that could allow cyber criminals to bypass traditional security defences in order to enter and exploit internal systems with the appearance of a legitimate user, which could allow them a cyber foothold within their targeted organisations."
Cloud Pro Newsletter
Stay up to date with the latest news and analysis from the world of cloud computing with our twice-weekly newsletter
The accounts were registered through the following websites which may also be at risk from the leak: hellokitty.com; hellokitty.com.sg; hellokitty.com.my; hellokitty.in.th; and mymelody.com.
In addition to the Sanrio Town database, Vickery found two additional backup servers containing mirrored data. According to the blog, the earliest known date of exposure of the data was 22 November this year.
Vickery has not published the data’s whereabouts in order to prevent the leak from spreading.
Users have been advised to change passwords to something that is not already in use on other sites in order to boost security. They've also been advised to set up credit monitoring.
Security experts have warned that businesses must be extra-vigilant when setting up their security systems, even more so when the data relates to children.
“Organisations like Sanrio Town must stop taking shortcuts when it comes to security. Basic encryption may have been used, but on its own this is largely ineffective," Ross Brewer, vice president and managing director for international markets at LogRhythm said.
"Hackers are using increasingly complex methods to make their way past flimsy defences, and by getting their hands not just on passwords, but also password hints and answers, gaining access to account information would have been as easy as 123."
He added that in order to fight fire with fire, businesses need to boost their defences and "take a more intelligent approach that enables them to detect early indications of a compromise and neutralise threats before data gets into the wrong hands."
However, Mark James, security specialist at ESET, explained that the responsibility doesn't just fall to the business. Parents should be more security savvy to stop their children becoming targets for hackers.
"We need to ensure more than ever that we educate our children on the importance of engaging us and seeking help and guidance when dealing with emails, explaining and even showing them the dangers of clicking email links or heading off to the latest “must see” website," he explained.
He added that talking to them about indicators for a hack is also a good idea, including that their device may be running slower than normal if it's been affected, or not being able to use them while they are cleaned or even reinstalled might help get the facts across.
"Ensuring all devices are kept up to date and making sure a good internet security product is installed where possible will help combat any later attempts at using this data for purposes of malware infection, make sure you are very wary of any company asking for more info or to validate details that have already been submitted," he added.
Emily Orton, director at Darktrace, added that companies such as Sanrio "need to urgently rethink the ways that they protect their information and reputation.
"The status quo of security is not good enough anymore – we know that companies face continual threats. Now it is time to do something about it, and bolster internal monitoring systems that work to catch early signs of compromise," she said.
The news of the breach comes after the hacking of electronic toy firm VTech last month. A man was later arrested on suspicion of "unauthorised access" to a computer, according to a statement by the South East Regional Organised Crime Unit (Serocu).
The hack exposed details of 4.8 million customers, including 200,000 children, making it one of the biggest consumer data breaches ever.
Vickery has of late also discovered security breaches at MacKeeper, OKHello, Slingo and Hzone.
Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.