Sanrio, creator of Hello Kitty and other popular characters, on Tuesday said it has fixed a security vulnerability that exposed information on 3.3 million users from its fan website SanrioTown.com.
In a statement provided to NBC News, the company wrote:
"On December 19, it was revealed through outside sources that personal information such as names, date of birth, gender, and other information belonging to SanrioTown.com members was accessible if you knew the address of the vulnerable servers. The vulnerable data did not include credit card information or other payment information and passwords were securely encrypted.
"Sanrio Digital has investigated the problem and the vulnerability has been corrected. In addition, new security measures have been applied on the server(s); and we are conducting an internal investigation and security review into this incident. To the Company’s current knowledge, no data was stolen or exposed."
The vulnerability was originally discovered by security researcher Chris Vickery, who in an earlier email to NBC News described the data on the servers as "very easily accessed." Some 3.3 million accounts were exposed, though Japan-based Sanrio has not said how many of those belonged to children.
Because password information and hints were exposed, however, it is advisable that anyone who thinks they may have been affected change their passwords at other sites.