A security researcher found online a database containing the sensitive information of customers of the Hello Kitty gaming site. Just before the Christmas holiday, C|Net reported:
"Personal information for fans who connect through SanrioTown.com has been sitting openly viewable on the Internet and easily accessible with the click of a mouse, no hack required... SanrioTown.com, designed for fans of Sanrio characters like Hello Kitty, hosts all the accounts for players of a popular game called Hello Kitty Online."
C|Net also reported that the security researcher:
"... showed CNET a sample of the records he saw, which includes a list of usernames, scrambled up passwords, first and last names, genders, birth dates and answers to security questions like "What is your favorite food." In the random sample of 15 records, two appeared to be of minors. Sanrio declined to verify whether the data listed in the sample was from its database. Vickery found the database, he said, while looking for unprotected information on the Internet by searching a website that can find data stored in the cloud."
Reportedly, the database sat open and exposed for about a month. This breach was found by the same security researcher that found earlier in December a flaw in the Mackeeper security software, which exposed the sensitive information of 13 million Apple users. SanrioTown is still investigating its breach, and its users must change both their passwords and security questions.
"Sanrio Digital, a subsidiary of the Japanese owner of “Hello Kitty,” a popular children’s brand, told Reuters on Tuesday that it patched a security glitch that had affected one of its databases being tipped off by Chris Vickery, a U.S.-based researcher who helps identify and fix vulnerable computer systems... Sanrio has insisted that evidence has so far failed to suggest that anyone other than Mr. Vickery had accessed the database with authorization..."
Reportedly, the breach exposed the following data elements: full names, birthdays, genders, email addresses and related information about 3.3 million account holders. That included information about 186,261 persons under the age of 18. Payment information (e.g., credit cards) was not exposed, according to the SanrioTown security statement.
Two items about this breach need to be highlighted:
- The operative phrase in the company's statement is, "that evidence so far..." More evidence may surface later; and
- The company did not discover its own database sitting open, unprotected in the wild. An external security researcher found it. That fact does not bode well for the company's security team and data security processes.
What are your opinions of this data breach?