Hong Kong Hello Kitty fan site left user details exposed, but no personal data stolen, say owners
3.3 million accounts ‘vulnerable’ to breach, with access as simple as browsing web
More than three million accounts of Hello Kitty fans were left vulnerable to theft by hackers, but there is no evidence any data has been stolen, the Hong Kong-based company hosting the data said on Tuesday.
It would have been extremely easy for a bad guy to take the data, extremely easy. Almost as easy as downloading a web page.
A spokesman for Sanrio Digital, part-owned by Sanrio Co Ltd , the Japanese owner of the Hello Kitty brand, said it had fixed the hole after being notified by security researcher Chris Vickery that personal information of its users was accessible.
Vickery told Reuters by e-mail that the company had plugged the holes he had found in three servers. But he said the database had been exposed for nearly a month, meaning that anyone who knew its internet address could have accessed it.
“It would have been extremely easy for a bad guy to take the data,” he said. “Extremely easy. Almost as easy as downloading a web page.”
Sanrio Digital said in a statement that “at this time we have no indication that any personal information was stolen.”
The spokesman said 3.3 million accounts had been vulnerable, including the names, ages and gender of fans. He said that the accounts all belonged to users of the SanrioTown.com website, a community for fans of Hello Kitty.
