'Hello Kitty' fan site exposed, but no data stolen-web host (updated)

VTech Holdings

22/12/2015 08:28

(Recasts; company says gap plugged, no data lost) 
    By Jeremy Wagstaff 
    SINGAPORE, Dec 22 (Reuters) - More than three million 
accounts of Hello Kitty fans were left vulnerable to theft by 
hackers, but there is no evidence any data has been stolen, the 
Hong Kong-based company hosting the data said on Tuesday.  
    A spokesman for Sanrio Digital, part-owned by Sanrio Co Ltd 
 8136.T , the Japanese owner of the Hello Kitty brand, said it 
had fixed the hole after being notified by security researcher 
Chris Vickery that personal information of its users was 
accessible.  
    Vickery told Reuters by e-mail that the company had plugged 
the holes he had found in three servers. But he said the 
database had been exposed for nearly a month, meaning that 
anyone who knew its internet address could have accessed it.  
    "It would have been extremely easy for a bad guy to take the 
data," he said. "Extremely easy. Almost as easy as downloading a 
web page." 
    Sanrio Digital said in a statement that "at this time we 
have no indication that any personal information was stolen." 
    The spokesman said 3.3 million accounts had been vulnerable, 
including the names, ages and gender of fans. He said that 
the accounts all belonged to users of the SanrioTown.com 
website, a community for fans of Hello Kitty.  
    No credit card or other payment information was included in 
the vulnerable data, and passwords "were securely 
encrypted," according to the statement.  
    The spokesman said while the company technically doesn't 
allow minors to sign up, this was implemented through an 
honour system, meaning that those younger than 13 could register 
by lying about their age.  
    News of the hole in the Sanrio Digital-hosted site follows 
last month's breach of another Hong Kong company, electronic 
toymaker VTech Holdings Ltd  0303.HK . Millions of records of 
parents and children were compromised.  
    In that case the hacker who found the vulnerability stole 
the data but shared some of it with a researcher and was 
reported as saying he had no plans to sell it. UK police 
arrested a 21-year old man last week in connection with the 
hack. 
    U.S.-based Vickery, who explores security vulnerabilities in 
his spare time and reports them to the affected companies, said  
the hole in the Hello Kitty site was the result of a simple 
misconfiguration of a database, leaving it open to public access 
without a password or authentication.  
    He said he had found thousands of similar vulnerabilities 
simply by searching an online database of connected devices.  
    Sanrio Co is best known for its Hello Kitty character which 
emblazons items ranging from stationery to clothing. Sanrio 
Digital is 70 percent owned by Hong Kong games company Typhoon 
Games Ltd, with the rest held by Sanrio Wave Hong Kong Co, a 
unit of Sanrio Co.  
    A spokesman for Sanrio in Tokyo said that the Hong Kong 
website had no connection to a Sanrio shareholder database, 
which leaked data earlier this year through a security hole in a 
system managed by a shareholder service company. 
 
 (Additional reporting by Makiko Yamazaki in Tokyo, Anne Marie 
Roantree and Lee Yi-Mou in Hong Kong, Devika Krishna Kumar, Anya 
George Tharakan and Kshitiz Goliya in Bengaluru; Editing by Raju 
Gopalakrishnan) 
 ((devika.kumar@thomsonreuters.com; within U.S. +1 646 223 8780, 
outside U.S. +918067492214; Reuters Messaging: Reuters 
Messaging: devika.kumar.thomsonreuters.com@reuters.net)) 
 
Keywords: SANRIO CYBERATTACK/