Hello Kitty Hacked before the Holidays

Security researcher Chris Vickery uncovered a leaked database of user accounts for Sanriotown.com and other Sanrio-owned websites, including hellokitty.com and mymelody.com. 

It is not clear how the data was stolen or came to appear online. 

"In addition to the primary sanriotown database, two additional backup servers containing mirrored data were also discovered. The earliest logged exposure of this data is November 22, 2015," according to CSO, which first reported the incident. 

The leaked passwords were encrypted with SHA-1 hashing, but not “salted” with random data, which is an additional layer of protection. "That oversight, along with what Vickery describes as password reset information included in the breach, means the passwords should be considered compromised," according to Wired.

The breached data included full names, encoded by decipherable birth dates, email addresses, and encrypted passwords, along with password reset questions and answers.

Sanriotown.com, owned by Hong-Kong-based Sanrio Digital, hosts games and community forums related to Sanrio brands, so kids’ personal information may have been exposed.