Hackers are at it again, once more taking aim at children’s identifying information by breaching a major-name children’s brand. Sanrio, the Japan-based owners of Hello Kitty and several similar characters, was notified that a few of their websites were compromised by outsiders who nabbed the information from as many as 3.3 million user accounts. A complete database containing the user account information from these accounts has already been leaked online, and was discovered by cybersecurity expert Chris Vickery.


According to Vickery’s report to CSO’s Salted Hash blog, information leaked online included “first and last names, birthday (encoded, but easily reversible), gender, country of origin, email addresses, unsalted SHA-1 password hashes, password hint questions, their corresponding answers, and other data points that appear to be website related.” Two Sanrio servers were also mirrored online.

Given Hello Kitty’s typical target audience, this kind of breach is even scarier than a run-of-the-mill retailer or corporate breach. It’s also not the first time this year hackers have gone after the juvenile market. Only a matter of weeks ago, a lone hacker (who has since been arrested) accessed the complete database of VTech’s registered users; while that incident included millions of parents’ information, it also nabbed millions of kids’ names, photos, genders, birth dates, and even their chat logs in the Learning Lodge app. That information could then be cross-referenced back to their physical addresses through their parents’ accounts.

While the unnamed VTech hacker has stated that he did it to call attention to the weak security surrounding VTech’s site and not to make a profit or commit crimes against children, that can’t yet be said of the Hello Kitty breach. While identity thieves love the financial “clean slate” that children’s identities offer, websites like VTech and Hello Kitty don’t even collect the type of information that identity thieves would need in order to open financial accounts in the kids’ names. That can only lead us to wonder if there wasn’t a far more ominous reason for targeting children and teens–from a predominantly female-oriented website–in this way.

For now, Sanrio isn’t commenting on the issue as their investigation is still underway. Vickery, however, described the process by which the passwords were compromised: according to his contact with Salted Hash, “the leaked passwords were encrypted with SHA-1 hashing, but not ‘salted’ with random data, an additional step to strengthen that encryption.” He’s cautioned users to change their passwords immediately, and as several Sanrio websites under the Hello Kitty and My Melody brands were compromised, it’s important to change all of the passwords account holders may have.