Leaked data includes real names, birth dates, and passwords.
Last week, 31-year-old IT support specialist Christopher Vickery uncovered a major breach in a widely reviled utility tool for Apple computers. This week, he’s moved on to a different side of the Internet—Hello Kitty and its millions of fans.
Vickery reportedly provided evidence to security news site CSO Online that the personal data of 3.3 million Hello Kitty fans is not secure. Vickery claimed to have obtained the information from multiple databases on Sanrio’s Hello Kitty website. Among the data he was allegedly able to access were full names, birth dates, “unsalted” passwords, and answers to password recovery hints.
Vickery is a type of hacker sometimes known as a security researcher—the kind who looks for ways to exploit website or software security and alerts the public about any data breaches they might find. Vickery found databases pulling information from numerous Sanrio websites, including the U.S., Singaporean, Malaysian, and Thai versions of the main Hello Kitty website, as well as MyMelody.com. The data may have been exposed as early as Nov. 22.
CSO Online reported that Sanrio had been contacted about the breach, and encouraged parents and children who frequented the Hello Kitty website to make sure the password they used there wasn’t duplicated on other websites they access regularly.
Vickery did not immediately respond to a request for comment.