Anyone who wants to play the popular multi-player game Hello Kitty Online must register on SanrioTown.com.
Hello Kitty is everywhere — on backpacks, shirts and notepads. Now she’s the face of a reported data breach that affects up to 3.3 million people.
Personal information for fans who connect through SanrioTown.com had been sitting openly viewable on the Internet and easily accessible with the click of a mouse, no hack required, a security researcher said over the weekend. SanrioTown.com, designed for fans of Sanrio characters like Hello Kitty, hosts all the accounts for players of a popular game called Hello Kitty Online.
The unprotected data doesn’t simply include usernames, email addresses and passwords hints. It also contains people’s names, dates of birth, genders and other identifying information, said researcher Chris Vickery.
Sanrio said it doesn’t create accounts for children under 13. However, the leaked information, which came from users all over the world, appears to include accounts for those under age 18.
It’s unclear how much data on children is involved, and this news is eclipsed by last month’s hack of user information on more than 6 million of children from toy software company VTech. But the reported discovery of the SanrioTown information shows that it doesn’t always take hackers with advanced skills to breach sensitive information, including that of children.
Sanrio said in a statement that an “alleged” breach is under investigation and that “information will be made available once confirmed.” Sanrio didn’t confirm the researcher’s description of the breach, nor did it respond to a question about whether information from minors was included in the reportedly exposed data.
Vickery showed CNET a sample of the records he saw, which includes a list of usernames, scrambled up passwords, first and last names, genders, birth dates and answers to security questions like “What is your favorite food.” In the random sample of 15 records, two appeared to be of minors. Sanrio declined to verify whether the data listed in the sample was from its database.
Vickery found the database, he said, while looking for unprotected information on the Internet by searching a website that can find data stored in the cloud.
The security researcher has made a name for himself finding unprotected information on the Internet. Earlier this month, he discovered information for 13 million users of the security app MacKeeper. He also found more than 1 million health insurance records left unsecured by a payment processing company in September.
He spends his days helping computer users as an IT technician but makes sleuthing out unprotected data his hobby because he thinks too many companies are being “reckless” and “lazy” about keeping user information safe.
What’s troubling about the reported SanrioTown breach is that someone doesn’t need advanced hacking skills to find and read the information. To the contrary, it can be found through a website, Shodan.io, which looks for data in the same way Google looks for websites, Vickery said. Finding data takes some digging, he added, but with time and curiosity, anyone with a Web browser can find information like that of SanrioTown.
“It’s kind of the whole, ‘Oh, it won’t happen to me’ mentality,” Vickery said. That, he said, is why he’s talking about it to the press.