Hello Kitty is the Internetâs cutest new security threat.
Parents are on alert after 3.3 million user credentials for the website sanriotown.com were found in an online database. SanrioTown, the official website for Hello Kitty and other Sanrio toy brands, is a popular destination for children. Now these usersâ names, genders, birthdays, and password retrieval questions are available online.
Hackers began storing SanrioTown user information in an online database, with copies on at least two backup servers as early as November, security researcher Chris Vickery found. Userdata from the related Sanrio sites hellokitty.com, hellokitty.com.sg, hellokitty.com.my, hellokitty.in.th, and mymelody.com were also included in the leak.
The databases included usersâ full names, birthdays, genders, nationalities, email addresses, and password retrieval questions.
The database also included passwords, which were saved as âunsalted SHA-1 password hashes,â an encryption form that stores passwords as series of scrambled letters and numbers. While these encrypted passwords might appear outwardly secure, they are assembled using the same key. Users with the same passwords will be represented by the same series of scrambled letters, allowing hackers to build databases of common passwords and break into accounts.
Children, who are likely to use SanrioTown and unlikely to invest much effort into hack-resistant passwords, are particularly susceptible to this kind of attack.
The databases did not contain credit card information, although SanrioTown accepts credit cards for online purchases and donations. But access to one password can lead hackers to usersâ profiles on other sites.
Approximately 55 percent of adults use the same password for most of their online profiles, a 2013 study by a U.K.-based communications watchdog found. Salted Hash, the securities blog that first reported the SanrioTown leak, is advising users to change their passwords and security questions on other websites, especially on online banking sites and social media platforms that contain personal information.
Hello Kitty is not the first toy to be hacked this year.
The similarly named Hello Barbie is also under scrutiny, after hackers revealed that the creepy, WiFi-enabled doll was a security nightmare. Hello Barbie records and stores childrenâs voices, and speaks to children based on their previous conversations. The little blonde doll is always listening, uploading information via vulnerable local WiFi networks.
Weak security and young users could make Hello Barbie a child predatorâs favorite toy, two parents have claimed in a lawsuit against Barbie-manufacturer Mattel.
âItâs interactive, so if someone hacks into the server they could technically take over and ask questions like âWhere do you live?â or âIs anybody home?ââ lawyer Michael Kelly told The Daily Beast this month. âYouâre not dealing with competent adults, youâre dealing with vulnerable little kids.â
An attack on toy manufacturer VTech in November exposed even more usersâ information, leaking photos, chat logs, and personal information for nearly 5 million parents and children. A 21-year-old U.K. man acquired user information from VTechâs Kid Connect program, an app that allows children on VTech tablets to communicate with their parentsâ smartphones.
âI can get a random Kid Connect account, look through the dump, link them to their circle of friends, and the parent who registered at Learning Lodge [VTechâs app store],â the hacker, who does not plan to publish the leak, told Motherboard. âI have the personal information of the parent and the profile pictures, emails, [Kid Connect] passwords, nicknamesâŚof everyone in their Kid Connect contacts list.â
News of SanrioTownâs hack was released on Saturday, but the company only issued a public statement on Monday. âThe alleged security breach of the SanrioTown site is currently under investigation,â Sanrio told The Daily Beast. âInformation will be made available once confirmed.â
In lieu of a warning to users, SanrioTownâs latest Facebook post is a cartoon drawing of soft, pastel bunnies in bakerâs hats.
âLife is all about taking risks,â the post tells SanrioTownâs 1.4 million Facebook followers, any of whom might have unknowingly exposed their data to hackers. âIf you never take risks, then youâll never know what youâre capable of.â
