An online database containing information on some 3.3 million fans of Hello Kitty and other Sanrio products may have been wide open to hackers for a month or more, reports security researcher Chris Vickery. Real first and last names, locations, password hints and questions, and possibly passwords themselves may have been leaked, he told computer security news website CSO.
Hellokitty.com, mymelody.com and Sanriotown.com are among the websites served by the affected databases. Many of the 3.3 million users affected are likely to be children, as Hello Kitty is a popular kids' brand worldwide. It is not expected that images or audio of minor were exposed, as with recent security issues with Hello Barbie and VTech.
"The alleged security breach of the SanrioTown site is currently under investigation," Sanrio said in a statement provided to NBC News. "Information will be made available once confirmed."
In an email to NBC News, Vickery wrote that he found the database the same way he found another, larger one associated with the software MacKeeper last week. He used Shodan, a search engine that indexes public devices and servers — from unsecured webcams to databases like this one.
The Sanrio data was "very easily accessed. Very easily queried," Vickery wrote, and Shodan first listed it on Nov. 22, meaning it has potentially been exposed for an entire month. He said he contacted Sanrio to inform them of the vulnerability, but has not heard back.
Anyone who thinks they may have been affected by this hack should consider changing their passwords and password hints at other websites, as hackers may very easily access the ones stored on the Sanrio servers.