The Japanese company that owns the Hello Kitty brand said it has fixed a security leak in an online fan site for the famous character that compromised the personal information of 3.3 million users.
Sanrio Co.’s digital arm said Tuesday that it “corrected” a security vulnerability on the SanrioTown.com website and was carrying out an investigation. The leak was discovered Saturday by a security researcher.
Hong Kong-based Sanrio Digital said anyone who knew the Internet addresses of “specific vulnerable servers” could have accessed personal information such as names and birthdates. Passwords were also available but encrypted.
However, it added that the data did not include credit card or other payment details, and that no information was stolen.
“We investigated the problem and applied fixes, including securing the servers identified as vulnerable” by the security researcher, Chris Vickery, the company said in a security advisory posted on the site.
SanrioTown.com is an online community for Hello Kitty enthusiasts around the world operated by Sanrio Digital. The site lets users play games, watch videos and keep up with news on their favorite cute character.
The site’s members include 186,261 minors, said Mark Leeper, whose public relations firm is representing Sanrio Digital.
It’s the second Internet security breach in the past month involving a large amount of children’s data.
Kids’ technology maker VTech reported a data breach that exposed the personal information of 6.4 million children around the world as well as 4.9 million parent accounts they were connected to. British police have arrested one man on hacking-related charges in that case.
Sanrio Digital is a joint venture between Hong Kong game developer Typhoon Games, which has a 70 percent stake, and Sanrio, which owns the rest.
