The Great Hello Kitty Hack of 2015

Over 3 million Hello Kitty fans have their information exposed in a hack that could leave identities—and passwords—of kids and their parents vulnerable to cyber attacks.

Hello Kitty is the Internet’s cutest new security threat.

Parents are on alert after 3.3 million user credentials for the website sanriotown.com were found in an online database. SanrioTown, the official website for Hello Kitty and other Sanrio toy brands, is a popular destination for children. Now these users’ names, genders, birthdays, and password retrieval questions are available online.

Hackers began storing SanrioTown user information in an online database, with copies on at least two backup servers as early as November, security researcher Chris Vickery found. Userdata from the related Sanrio sites hellokitty.com, hellokitty.com.sg, hellokitty.com.my, hellokitty.in.th, and mymelody.com were also included in the leak.

The databases included users’ full names, birthdays, genders, nationalities, email addresses, and password retrieval questions.

The database also included passwords, which were saved as “unsalted SHA-1 password hashes,” an encryption form that stores passwords as series of scrambled letters and numbers. While these encrypted passwords might appear outwardly secure, they are assembled using the same key. Users with the same passwords will be represented by the same series of scrambled letters, allowing hackers to build databases of common passwords and break into accounts.

Children, who are likely to use SanrioTown and unlikely to invest much effort into hack-resistant passwords, are particularly susceptible to this kind of attack.

The databases did not contain credit card information, although SanrioTown accepts credit cards for online purchases and donations. But access to one password can lead hackers to users’ profiles on other sites.

Approximately 55 percent of adults use the same password for most of their online profiles, a 2013 study by a U.K.-based communications watchdog found. Salted Hash, the securities blog that first reported the SanrioTown leak, is advising users to change their passwords and security questions on other websites, especially on online banking sites and social media platforms that contain personal information.

Hello Kitty is not the first toy to be hacked this year.

The similarly named Hello Barbie is also under scrutiny, after hackers revealed that the creepy, WiFi-enabled doll was a security nightmare. Hello Barbie records and stores children’s voices, and speaks to children based on their previous conversations. The little blonde doll is always listening, uploading information via vulnerable local WiFi networks.

Weak security and young users could make Hello Barbie a child predator’s favorite toy, two parents have claimed in a lawsuit against Barbie-manufacturer Mattel.

“It’s interactive, so if someone hacks into the server they could technically take over and ask questions like ‘Where do you live?’ or ‘Is anybody home?’” lawyer Michael Kelly told The Daily Beast this month. “You’re not dealing with competent adults, you’re dealing with vulnerable little kids.”

Get The Beast In Your Inbox!

Daily Digest

Start and finish your day with the top stories from The Daily Beast.

Cheat Sheet

A speedy, smart summary of all the news you need to know (and nothing you don't).

By clicking “Subscribe,” you agree to have read the Terms of Use and Privacy Policy
Thank You!
You are now subscribed to the Daily Digest and Cheat Sheet. We will not share your email with anyone for any reason.

An attack on toy manufacturer VTech in November exposed even more users’ information, leaking photos, chat logs, and personal information for nearly 5 million parents and children. A 21-year-old U.K. man acquired user information from VTech’s Kid Connect program, an app that allows children on VTech tablets to communicate with their parents’ smartphones.

“I can get a random Kid Connect account, look through the dump, link them to their circle of friends, and the parent who registered at Learning Lodge [VTech’s app store],” the hacker, who does not plan to publish the leak, told Motherboard. “I have the personal information of the parent and the profile pictures, emails, [Kid Connect] passwords, nicknames…of everyone in their Kid Connect contacts list.”

News of SanrioTown’s hack was released on Saturday, but the company only issued a public statement on Monday. “The alleged security breach of the SanrioTown site is currently under investigation,” Sanrio told The Daily Beast. “Information will be made available once confirmed.”

In lieu of a warning to users, SanrioTown’s latest Facebook post is a cartoon drawing of soft, pastel bunnies in baker’s hats.

“Life is all about taking risks,” the post tells SanrioTown’s 1.4 million Facebook followers, any of whom might have unknowingly exposed their data to hackers. “If you never take risks, then you’ll never know what you’re capable of.”