Hello Kitty, goodbye data: 3.3 million children put at risk online

Yet again, the personally identifiable details of millions of children have been stolen leading some experts to question how well they were secured and others to ask, should children even be allowed to use the internet?

Hello Kitty, goodbye data ("Hello Kitty-Bremen" by CHR!S/Wikimedia)
Hello Kitty, goodbye data ("Hello Kitty-Bremen" by CHR!S/Wikimedia)

The personal details of over three million Hello Kitty fans – many of them children – have been leaked online in another case of vulnerability in MongoDB databases.

The data, including the names, email addresses, birthdays, gender and crackable passwords of 3.3 million members of the official Hello Kitty online community, has been found open to hackers by white-hat security researcher Chris Vickery.

It follows his discovery last week that the records of 13 million users of the controversial MacKeeper security tool and other MongoDB databases including a dating app for HIV-positive singles, could be easily accessed online. Vickery found the data using a simple Shodan search.

He reported the latest leak on Saturday to security sites Salted Hash and Databreaches.net. The data is held by Sanrio, owner of the Hello Kitty brand and other animated characters.

According to Salted Hash, the exposed credentials are stored on a primary SanrioTown database and two backup servers. Those affected include users of five fan portals: hellokitty.com, hellokitty.com.sg, hellokitty.com.my, hellokitty.in.th and mymelody.com. Vickery has notified Sanrio and the ISP used to host the data.

Vickery has raised questions over Sanrio's use of unsalted SHA-1 password hashes, and birthday data that was encoded but easily crackable. Sanrio had not responded at time of writing.

The Hello Kitty leak inevitably involves many children, and follows just weeks after hackers stole photos, chat logs and other data relating to around 6.4 million children and 5 million adults from electronic toy maker VTech. A 21-year-old man was arrested last week in Bracknell, Berkshire in connection with the VTech breach.

It also follows recent warnings that the latest Hello Barbie internet-connected children's toy is easily hackable.

The Hello Kitty exposé raises renewed questions about the safety of children online – and the impact of the upcoming pan-European Data Protection law which offers extra safeguards for children's data and promises heavy fines for companies who fail to properly protect data.

UK security expert Sarb Sembhi, CTO of the Noord Group and a leading member of the ISACA security professionals group, told SC via email: “There is a high possibility of a trend in criminals targeting children's data, on the basis that their credit records are not regularly checked by their parents. This could mean that young people will have bad credit records (created by criminals) even before they have officially opened their own first bank account in their name.”

But Sembhi pointed out: “Websites catering for children will be impacted by the recently agreed EU General Data Protection Regulation (EU GDPR). Firms have several obligations specific to children. Firms will have to implement controls that keep them on top of vulnerabilities and patching like never before once the EU GDPR comes into effect.”

Mark James, security specialist at IT security Firm ESET, said in a statement to journalists: “As adults we get inundated with emails to click or sign up here and most, thankfully, end up in the recycle bin. But children are a lot more susceptible to emails that read ‘Click here for that new in-game item' or new websites that promise to give them something they don't already have but NEED to own.

“The fact that our children are getting their own email addresses and access to a lot more online devices younger and younger poses a real threat. We need to ensure that we educate our children on the importance of seeking help and guidance when dealing with emails, explaining and even showing them the dangers of clicking links or heading off to the latest ‘must see' website.”

Professor John Walker, director of cyber-consultancy firm Hexforensics, told SC via email: “This is yet another example of innocent children using the internet where they are exposed to the perverse in the midst of our population, to locate, target and potentially groom their victims.

“There is a clear position here – we are all open to abuse and criminality when using the internet. However, when this exposure focuses on the young and innocent who have not yet evolved the ability to identify the clear indications of danger, I must pose the question: can we allow any child to use the wild west of an online world in which even adults fall victims to criminality?”