Cybersecurity

No data stolen in Hello Kitty breach, company says

There is no evidence that any data from 3 million Hello Kitty accounts left exposed by hackers was stolen, the Hong Kong-based company that hosts the data said Tuesday.

{mosads}Sanrio Digital, part of the parent company that owns the Hello Kitty brand, told Reuters that “at this time we have no indication that any personal information was stolen.”

The company said it patched a hole in its security after researcher Chris Vickery informed it that users’ personal information was accessible online.

“It would have been extremely easy for a bad guy to take the data,” Vickery said. “Extremely easy. Almost as easy as downloading a web page.”

The data was available online for a month, according to Vickery, meaning that anyone with access to the site could have taken the data.

The exposed information includes users’ first and last names, birthdates, genders, countries of origin and email addresses, as well as lightly protected passwords.

The hack of the popular global brand is the second major breach this winter impacting a child-focused product.

In November, a hack on the digital toymaker VTech exposed the names, genders and birthdates for more than 6 million children. Five million parent accounts were also exposed in the intrusion, compromising mailing and email addresses, security questions used for password resets, IP addresses, passwords and download histories.

Security experts who have reviewed the data say the stolen information on children can be linked with their parents’ data, thereby revealing the kids’ full addresses and other information.

Sanrio does not technically allow minors to sign up for its online community; however, the policy relies on an honor code and a minor could easily lie about his or her age.

The company said that no credit card or other payment information was among the exposed data and passwords were “securely encrypted.”