Hackers Compromise Hello Kitty Fans’ Info, Infect Hyatt & Leak Hot Hollywood Scripts

Just another week in ThreatWatch, our regularly updated index of noteworthy data breaches.

In case you missed our coverage this week in ThreatWatch, Nextgov’s regularly updated index of cyber breaches: 

DHS Catches Salesman Pitching Fresh, Stolen TV Scripts

A young hacker from the Bahamas got his hands on scripts for the upcoming season of a hit television drama, along with videos of celebrities in compromising positions. 

The man, Alonzo Knowles, 23, told an undercover investigator it was difficult to hack a high-profile celebrity directly. So instead, he looked through public photos for friends of the celebrity, and then hacked the friends’ accounts to find the celebrity’s personal information.

Then he sent the celebrities a fake text message that made it seem as though their account had been hacked. Some of the celebs wrote back with their password. When he gained access, he transmitted a virus that infiltrated their computer.

None of the victims were named in a recently released criminal complaint against Knowles.

The scheme began to unravel when a radio host, whom Knowles contacted as a potential buyer, reached out to the executive producer of the drama series that had been fleeced. Network representatives then approached Department of Homeland Security investigators, who had the radio host arrange a call between Knowles and an undercover agent.

On Dec. 21, Knowles tried to sell an agent 15 scripts for $80,000, and also provided the Social Security numbers of three professional athletes and a movie actress.

Among other items Knowles offered to sell were scripts for three comedy films, a hip hop biopic and another TV show; and, according to the complaint, sex tapes of celebrities.

"He gained access to a trove of highly guarded entertainment industry secrets sure to rattle the 130 celebrities whose email addresses and phone numbers he had, and many others," The New York Times reported. 

Hello Kitty Hacked before the Holidays

Security researcher Chris Vickery uncovered a leaked database of user accounts for Sanriotown.com and other Sanrio-owned websites, including hellokitty.com and mymelody.com. 

It is not clear how the data was stolen or came to appear online. 

"In addition to the primary sanriotown database, two additional backup servers containing mirrored data were also discovered. The earliest logged exposure of this data is Nov. 22, 2015," according to CSO, which first reported the incident. 

The leaked passwords were encrypted with SHA-1 hashing, but not “salted” with random data, which is an additional layer of protection.

"That oversight, along with what Vickery describes as password reset information included in the breach, means the passwords should be considered compromised," according to Wired.

The breached data included full names, encoded by decipherable birth dates, email addresses, and encrypted passwords, along with password reset questions and answers.

Sanriotown.com, owned by Hong-Kong-based Sanrio Digital, hosts games and community forums related to Sanrio brands, so kids’ personal information may have been exposed. 

Hyatt Hotel Guests: Check Your Credit Card Statements

The hotel operator on Dec. 23 disclosed it has discovered malicious software, which can steal payment data, on the computers that run payment processing systems for Hyatt-managed locations.

Hyatt’s notice to customers contains very few details about the incident.

As of Sept. 30, Hyatt’s global portfolio included 627 properties in 52 countries.

Livestream Owns Up to Potential Data Breach

The video streaming service is warning customers an "unauthorized person may have accessed our customer account database." 

If that is the case, email addresses, names, an encrypted version of passwords, dates of birth, and phone numbers might be affected.

The company claimed to have 10,000 paying customers in 2014, according to the Los Angeles Times.