Hello Kitty database leaked online, 3.3 million fans affected

Pierluigi Paganini January 10, 2017

The Hello Kitty MongoDB database leaked online one year ago recently surface on the web, it includes 3.3 million records belonging to Hello Kitty fans.

The security researcher Chris Vickery discovered a Sanrio database that was misconfigured and exposed to the public in 2015.

On December 2015, Vickery reported the discovery to Databreaches.net and Salted Hash.

According to Vickery not only the primary database sanriotown.com was affected, the fan portals of the following websites were also impacted by the leak:

  • hellokitty.com;
  • hellokitty.com.sg;
  • hellokitty.com.my;
  • hellokitty.in.th;
  • mymelody.com.

The expert noticed that 186,261 of the records belonged to Sanrio users under the age of 18.

At the time of its discovery, Sanrio explained that it doesn’t believe the data was stolen. Now the same MongoDB database has surfaced online and the 3.3 million records put Hello Kitty fans at risk.

During the weekend, the data breach notification service LeakedSource confirmed that a Sanrio database containing 3,345,168 million users has surfaced online.

The records contained in the leaked database include first and last names, gender, encoded birthday (easily reversible), country, email addresses, SHA-1 hash passwords, password hint questions with corresponding answers, and other information.

Hello Kitty portal


Vickery confirmed that data available via LeakedSource is identical to what he discovered more than a year ago.

The unique difference between the two databases is a field, dubbed ‘incomeRange,’ in the LeakedSource records that was not present in the original archive. The “incomeRange” attribute comes with values running from 0 to 150, but it is still unclear its meaning.

Chris Vickery discovered many other clamorous cases of open MongoDB exposed on the Internet. In December 2015 the security expert discovered 191 million records belonging to US voters online, in April 2016 he also discovered a 132 GB MongoDB database open online and containing 93.4 million Mexican voter records.

In March 2016, Chris Vickery has discovered online the database of the Kinoptic iOS app, which was abandoned by developers, with details of over 198,000 users.

A few hours ago I published another post related to cyber attacks against misconfigured MongoDB databases.

MongoDB ransom attacks soar, according to the Australian Communications and Media Authority Antipodes the number of hacked systems more than double to 27,000 in just a day. According to the experts, the hackers are implementing an extortion mechanism copying and deleting data from vulnerable databases.
[adrotate banner=”9″]Pierluigi Paganini(Security Affairs – Hello Kitty MongoDB, hacking)

you might also like

leave a comment