Hong Kong Hello Kitty fan site left user details exposed, but no personal data stolen, say owners
3.3 million accounts ‘vulnerable’ to breach, with access as simple as browsing web
More than three million accounts of Hello Kitty fans were left vulnerable to theft by hackers, but there is no evidence any data has been stolen, the Hong Kong-based company hosting the data said on Tuesday.
It would have been extremely easy for a bad guy to take the data, extremely easy. Almost as easy as downloading a web page.
A spokesman for Sanrio Digital, part-owned by Sanrio Co Ltd , the Japanese owner of the Hello Kitty brand, said it had fixed the hole after being notified by security researcher Chris Vickery that personal information of its users was accessible.
Vickery told Reuters by e-mail that the company had plugged the holes he had found in three servers. But he said the database had been exposed for nearly a month, meaning that anyone who knew its internet address could have accessed it.
“It would have been extremely easy for a bad guy to take the data,” he said. “Extremely easy. Almost as easy as downloading a web page.”
Sanrio Digital said in a statement that “at this time we have no indication that any personal information was stolen.”
The spokesman said 3.3 million accounts had been vulnerable, including the names, ages and gender of fans. He said that the accounts all belonged to users of the SanrioTown.com website, a community for fans of Hello Kitty.
The spokesman said while the company technically doesn’t allow minors to sign up, this was implemented through an honour system, meaning that those younger than 13 could register by lying about their age.
News of the hole in the Sanrio Digital-hosted site follows last month’s breach of another Hong Kong company, electronic toymaker VTech Holdings Ltd. Millions of records of parents and children were compromised.
READ MORE: Hong Kong childhood tech firm VTech is hacked, exposing data of 5 million customers and kids
In that case the hacker who found the vulnerability stole the data but shared some of it with a researcher and was reported as saying he had no plans to sell it. UK police arrested a 21-year old man last week in connection with the hack.
U.S.-based Vickery, who explores security vulnerabilities in his spare time and reports them to the affected companies, said the hole in the Hello Kitty site was the result of a simple misconfiguration of a database, leaving it open to public access without a password or authentication.
He said he had found thousands of similar vulnerabilities simply by searching an online database of connected devices.
READ MORE: Hacking of Hong Kong’s VTech may prove worst cybersecurity breach of 2015 in Asia
Sanrio Co is best known for its Hello Kitty character which emblazons items ranging from stationery to clothing. Sanrio Digital is 70 per cent owned by Hong Kong games company Typhoon Games Ltd, with the rest held by Sanrio Wave Hong Kong Co, a unit of Sanrio Co.
A spokesman for Sanrio in Tokyo said that the Hong Kong website had no connection to a Sanrio shareholder database, which leaked data earlier this year through a security hole in a system managed by a shareholder service company.
