2017 security predictions

Hello Kitty database leaked to the web, 3.3 million fans affected

The incorrectly configured Sanrio database was copied prior to being fixed, a feat that went unnoticed for more than a year

Hello Kitty stand in Madrid
Credit: Javier Mediavilla Ezquibela

A Sanrio database that was misconfigured and exposed to the public in 2015 was eventually secured by the company.

In a statement, Sanrio said they didn’t believe any data was stolen. But that’s exactly what happened. Now, over a year later, the database has surfaced online. Its resurrection places 3.3 million Hello Kitty fans in the hot seat.

On December 19, 2015, Salted Hash broke the news that a MongoDB installation for Sanrio, the company behind Hello Kitty, was exposed to the public. The database was discovered by security researcher Chris Vickery.

At the time, Sanrio speculated the exposure was due to maintenance conducted several weeks prior, on November 20, 2015. The database contained just over 3.3 million records from sanriotown.com, including 186,261 records assigned to people under the age of 18.

Three days after the story broke, on December 22, 2015, Sanrio said they investigated the problem and fixed it.

“In addition, new security measures have been applied on the server(s); and we are conducting an internal investigation and security review into this incident. To the Company’s current knowledge, no data was stolen or exposed,” the statement concluded.

Unfortunately, someone did copy the database before the configuration error was fixed. It just isn’t clear when that copy was made. On Sunday, Salted Hash learned that the Sanrio database was added to the LeakedSource index.

Examining the LeakedSource records and comparing the field names to the screenshots shared by Vickery in 2015, the data is a match. For example, both sets of data use the “_createdFrom” field, as well as “dateOfBirth”, “gender”, “firstName”, “lastName”, etc.

Based on the samples shared with Salted Hash, it looks as if the LeakedSource records have been scrubbed of non-essential website data points, laving only the personal details intact.

In both databases, the records contain the account holder’s first and last name, birthday (encoded, but easily reversed), gender, country of origin, email addresses, user name, password (unsalted SHA-1 hash), password hint question, and the corresponding answer.

However, there is a field in the LeakedSource records that is new to this story, “incomeRange” with values running from 0 to 150. It isn’t clear what these values represent, but not every record has them.

As was the case previously, the fear is that the exposed database could cause problems for those registered, especially the children. It’s hard enough to deal with ID theft related issues as an adult. Such issues are only compounded for children, as the problems might not materialize for several years.

In 2015, Sanrio encouraged password resets and urged fans not to share passwords between websites. This is true today as well, but there’s no telling who followed the advice.

Also, there is no way to track who had access to this database, as it’s been circulating out of the public eye for a least a year before it was shared with LeakedSource.

Salted Hash has reached out to Sanrio for comment. We’ll update this story when they respond. Anyone with concerns about the information exposed can checkout Consumer.gov for advice on recovering from identity theft.

Update:

Sanrio issued a statement on Tuesday evening. In it, they briefly recap the events from 2015, including their previous alert. The statement goes on to dismiss the latest news, despite sample records matching the previously exposed database.

"Recently, reports have surfaced claiming that the 2015 data breach was not corrected. At this time, there is no evidence to support this claim.  The original data breach from SanrioTown.com users in 2015 did not include credit card information or other payment information. Users’ passwords are encrypted with the cryptographic hash function SHA-1.

"SanrioTown and Sanrio Digital notified users about the incident, advising them to change their passwords. Media were also notified."

It should be noted that this current Sanrio database currently circulating online doesn't have any financial data, and there have been no claims otherwise. Salted Hash has asked additional questions surrounding the sample data shared with Sanrio.

Update (14 January 2017):

After reviewing the sample data sets shared by Salted Hash, Sanrio has confirmed that the data indexed by LeakedSource "looks real" and likely originated from the exposed database in 2015. However, the company stopped short of confirming that LeakedSource's records and the records exposed two years ago are one in the same.

“Sanrio Digital recently received evidence that a 2015 data breach of the SanrioTown web site involved some user data theft,” the company said in a statement.

“At the time, we had no evidence of data theft, however we have now learned from reporter Steve Ragan of CSO Online that personal information of SanrioTown.com users was stolen during the 2015 data breach. According to Mr. Ragan, a database containing information of 3,345,168 SanrioTown users has been circulating since the time of the incident.

“He received the sample records from LeakedSource containing information of 30 SanrioTown users. We have verified that these sample records appear to be real. We cannot, however, relate the source of such sample records to the 2015 data breach and we are unable to verify whether the database of LeakedSource contains information of 3,345,168 SanrioTown users stolen during the 2015 SanrioTown data breach.”

A full copy of the Sanrio statement is available online.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
How much is a data breach going to cost you?