Hello Kitty parent company Sanrio, has been breached including 3.3 million user credentials.
The breach was originally reported in December 2015, but at the time Sanrio denied any data was stolen as part of the breach. The breach was tied to a misconfigured MongoDB installation that was discovered by security researcher Chris Vickery.
On Sunday a website that specializes in harvesting leaked credentials called LeakedSource, said the Sanrio database of 3,345,168 million users has surfaced. The disclosure was part of the website’s January 2017 update. According to original reports of the 2015 breach, 186,261 of the records belonged to Sanrio users under the age of 18.
Three days after the story broke, on December 22, 2015, Sanrio said they investigated the problem and fixed it.
“In addition, new security measures have been applied on the server(s); and we are conducting an internal investigation and security review into this incident. To the Company’s current knowledge, no data was stolen or exposed,” the statement concluded.
Unfortunately, someone did copy the database before the configuration error was fixed. It just isn’t clear when that copy was made. On Sunday, Salted Hash learned that the Sanrio database was added to the LeakedSource index.
The data available via LeakedSource is reportedly identical to what Vickery found and includes first and last name of users, encoded birthday data, gender, country of origin, email addresses, user name, unsalted SHA-1 hash passwords, password hint questions and answers. Oddly, added to the data Sanrio data is an “incomeRange” field with values ranging from 0 to 150.