Online researcher Chris Vickery uncovered a database this weekend containing the personal information of 3.3 million accounts associated with Hello Kitty Online and official Hello Kitty websites, including SanrioTown.com, HelloKitty.com and MyMelody.com. The information included users' first and last names, birthdays, genders, countries of origin, email addresses, password hashes, password hint questions and answers, and other data, CSO Online reports. Some of the information was encrypted, but "easily reversible," according to the site. The breach was the result of a misconfigured database installation and all of the servers are now secure, CSO says.
"The alleged security breach of the SanrioTown site is currently under investigation," Sanrio said in a statement to the site. "Information will be made available once confirmed."
This incident comes on the heels of a highly publicized hack also involving a popular, child-focused property: VTech. That incident exposed the personal data, chat logs and photos of 6.3 million people, 200,000 of whom were children. This month, police arrested a man in the UK in relation to that hack.
Update: Sanrio has confirmed the issue, and says it's been fixed. A security advisory on the company's site notes that it left the door open to over 180,000 under-18s' data. It also claims that, to the best of its knowledge, no information was actually taken.