|
 'Hello
Kitty' fan site exposed, but no data stolen: web host
Send a link to a friend
[December 22, 2015]
By Jeremy Wagstaff
SINGAPORE (Reuters) - More than three
million accounts of Hello Kitty fans were left vulnerable to theft by
hackers, but there is no evidence any data has been stolen, the Hong
Kong-based company hosting the data said on Tuesday.
|
|
 A spokesman for Sanrio Digital, part-owned by Sanrio Co Ltd, the
Japanese owner of the Hello Kitty brand, said it had fixed the hole
after being notified by security researcher Chris Vickery that
personal information of its users was accessible.
Vickery told Reuters by e-mail that the company had plugged the
holes he had found in three servers. But he said the database had
been exposed for nearly a month, meaning that anyone who knew its
internet address could have accessed it.
"It would have been extremely easy for a bad guy to take the data,"
he said. "Extremely easy. Almost as easy as downloading a web page."
Sanrio Digital said in a statement that "at this time we have no
indication that any personal information was stolen."
The spokesman said 3.3 million accounts had been vulnerable,
including the names, ages and gender of fans. He said that the
accounts all belonged to users of the SanrioTown.com website, a
community for fans of Hello Kitty.
No credit card or other payment information was included in the
vulnerable data, and passwords "were securely encrypted," according
to the statement.
The spokesman said while the company technically doesn't allow
minors to sign up, this was implemented through an honour system,
meaning that those younger than 13 could register by lying about
their age.
News of the hole in the Sanrio Digital-hosted site follows last
month's breach of another Hong Kong company, electronic toymaker
VTech Holdings Ltd. Millions of records of parents and children were
compromised.
In that case the hacker who found the vulnerability stole the data
but shared some of it with a researcher and was reported as saying
he had no plans to sell it. UK police arrested a 21-year old man
last week in connection with the hack.
[to top of second column] |
U.S.-based Vickery, who explores security vulnerabilities in his
spare time and reports them to the affected companies, said the hole
in the Hello Kitty site was the result of a simple misconfiguration
of a database, leaving it open to public access without a password
or authentication.
He said he had found thousands of similar vulnerabilities simply by
searching an online database of connected devices.
Sanrio Co is best known for its Hello Kitty character which
emblazons items ranging from stationery to clothing. Sanrio Digital
is 70 percent owned by Hong Kong games company Typhoon Games Ltd,
with the rest held by Sanrio Wave Hong Kong Co, a unit of Sanrio Co.
A spokesman for Sanrio in Tokyo said that the Hong Kong website had
no connection to a Sanrio shareholder database, which leaked data
earlier this year through a security hole in a system managed by a
shareholder service company.
(Additional reporting by Makiko Yamazaki in Tokyo, Anne Marie
Roantree and Lee Yi-Mou in Hong Kong, Devika Krishna Kumar, Anya
George Tharakan and Kshitiz Goliya in Bengaluru; Editing by Raju
Gopalakrishnan)
[© 2015 Thomson Reuters. All rights
reserved.] Copyright 2015 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.
 |
