Hello Kitty Database of 3.3 Million Breached Credentials Surfaces

A database of 3.3 million Hello Kitty users tied to a 2015 breach surfaced over the weekend exposing thousands of minors to potential credential theft.

A cache of data including 3.3 million user credentials belonging to Hello Kitty parent company Sanrio surfaced over the weekend.

The breach was originally reported in December 2015, but at the time Sanrio denied any data was stolen as part of the breach. The breach was tied to a misconfigured MongoDB installation that was discovered by security researcher Chris Vickery.

On Sunday a website that specializes in harvesting leaked credentials called LeakedSource, said the Sanrio database of 3,345,168 million users has surfaced. The disclosure was part of the website’s January 2017 update. According to original reports of the 2015 breach, 186,261 of the records belonged to Sanrio users under the age of 18.

On Monday, Vickery told Threatpost that Sanrio claimed that in 2015 that he was the only person to have accessed the database as part of his research. He said that Sanrio, at the time, said there were no additional intruders that may have swiped data from its database.

The data available via LeakedSource is reportedly¬†identical to what Vickery found and includes first and last name of users, encoded birthday data, gender, country of origin, email addresses, user name, unsalted SHA-1 hash passwords, password hint questions and answers. Oddly, added to the data Sanrio data is an “incomeRange” field with values ranging from 0 to 150.

Neither Sanrio nor LeakedSource returned a request to comment for this story.

At the time, Vickery said, the Sanrio database included user credentials for 3.3 million users of various Sanrio online services. Vickery said the database was stored using a MongoDB configuration that required no credentials for access.

Owners of misconfigured MongoDB have recently been hit hard with a rash of breaches where criminals delete databases and demand a ransom in return for data. Over the last two weeks the number of incidents of MongoDB hijacked for ransom jumped from 200 in December to 2,000 early last week. According to the latest reported by Cisco System’s Continuum blog, the number of hijacked databases reached 27,000 on Monday.

Suggested articles