Hello Kitty Owner Sanrio Says Fan Website Security Leak Fixed; 3.3m Users Potentially Affected

HONG KONG — The Japanese company that owns the Hello Kitty brand said it has fixed a security leak in an online fan site for the character that compromised the personal information of 3.3 million users.

 

Sanrio Co.'s digital arm said Tuesday that it "corrected" a security vulnerability on the SanrioTown.com website and was investigating. The leak was discovered Saturday by a security researcher.

 

Hong Kong-based Sanrio Digital said anyone who knew the Internet addresses of "specific vulnerable servers" could have accessed personal information such as names and birthdates. Passwords were also available but encrypted.

 

However, it added that the data did not include credit card or other payment details, and that no information was stolen.

 

"We investigated the problem and applied fixes, including securing the servers identified as vulnerable" by the researcher, the company said in a security advisory posted on the site.

 

The security researcher who identified the problem, Chris Vickery, disputed Sanrio's claim that information was not accessed, since he used multiple IP addresses himself to access data and confirm the vulnerability. He also believes Sanrio would have discovered the problem easily had it paid attention to its security practices.

 

SanrioTown.com is an online community for Hello Kitty enthusiasts around the world operated by Sanrio Digital. The site lets users play games, watch videos and keep up with news on their favourite cute character.

 

The site's members include 186,261 minors, said Mark Leeper, whose public relations firm is representing Sanrio Digital.

 

It's the second Internet security breach in the past month involving a large amount of children's data.

 

Kids' technology maker VTech reported a data breach that exposed the personal information of 6.4 million children around the world as well as 4.9 million parent accounts to which they were connected. British police have arrested one man on hacking-related charges in that case.

 

Sanrio Digital is a joint venture between Hong Kong game developer Typhoon Games, which has a 70 per cent stake, and Sanrio, which owns the rest.