Data on more than 3 million users of HelloKitty.com and other sites related to the popular character was exposed to the Internet through an insecure database, Austin-based security researcher Chris Vickery reported this weekend.
Vickery, who has recently uncovered millions of accounts' worth of potentially sensitive user data stored in publicly accessible databases at insurance claim management software company Systema Software, security software maker Kromtech, and HIV-positive dating app Hzone, says the database includes users' names, emails, encoded birthdates, passwords, and other information.
He says he discovered the cache of Hello Kitty data through Shodan, a search engine for Internet-enabled devices that's popular with hackers and security researchers for its index of openly accessible data other than ordinary websites. The database came up in a search for publicly accessible databases created with the popular MongoDB platform, he says. While it wasn't labeled as belonging to Sanrio, the company behind Hello Kitty, its ties to the Hello Kitty sites were apparent from the data, he says.
"The Hello Kitty database isn't marked as Hello Kitty," he says. "It goes by another name that I'm not sharing right now."
The database appears to no longer be accessible, he says.
"The alleged security breach of the SanrioTown site is currently under investigation," the company said in a statement Monday afternoon, referring to an official forum site said to be involved in the breach. "Information will be made available once confirmed."
Shodan cofounder John Matherly wrote last week in a blog post that the search engine indexed more than 35,000 publicly accessible MongoDB instances, warning that many may be unintentionally available thanks to misconfigured servers. And common tools make accessing those databases almost as simple as opening a Google spreadsheet.
Vickery says he has reported approximately two dozen vulnerable sites to their owners this year, including a database at Kromtech that exposed data on roughly 13 million users of its security tool MacKeeper. In that case, Kromtech said there was no sign the data was accessed by anyone beside Vickery, but Vickery says he generally assumes he's not the only one able to find such vulnerable databases.
"My theory is that in most of these cases it has been compromised, and the companies just aren't watching logs or aren't willing to admit it," he says. "If I'm coming across it, I'm pretty sure somebody else is coming across it."
In the current breach, he advises Hello Kitty fans to change their passwords anywhere they may have used the same credentials.
"If you've reused that password, change it anywhere else you've used it," he says.
Even though the passwords were stored in encrypted form, they could still potentially be cracked by determined hackers. Though, as the leak indicates, it's clear plenty of personal data is accessible with no password at all—something privacy advocates say needs to change.
"I think at this point, it would be appropriate for federal regulators who enforce data security to issue guidances or news releases that even more businesses and entities might see and act upon to secure their databases," wrote the anonymous editor of DataBreaches.net, which has worked to publicize many of Vickery's discoveries, in an email to Fast Company. "Until then, you can reasonably expect that Chris will just keep finding these leaks and turning them over to the media, and that entities will incur the costs of incident response and hits to their reputation."