Samsung Event: Everything Announced Disney Plus Price Hike NFL Preseason Schedule Deals on Galaxy Z Fold 4 Best 65-Inch TV Origin PC Evo17-S Review Best Buy Anniversary Sale Monkeypox Myths
Want CNET to notify you of price drops and the latest stories?
No, thank you

Data on 3.3 million Hello Kitty fans sat out in open, researcher says

The information on, a website for fans of Sanrio characters like Hello Kitty, appears to include personal data on people under 18.

Anyone who wants to play the popular multi-player game Hello Kitty Online must register on

Hello Kitty is everywhere -- on backpacks, shirts and notepads. Now she's the face of a data breach that reportedly affects up to 3.3 million people.

Personal information for fans who connect through has been sitting openly viewable on the Internet and easily accessible with the click of a mouse, no hack required, a security researcher said over the weekend., designed for fans of Sanrio characters like Hello Kitty, hosts all the accounts for players of a popular game called Hello Kitty Online.

The unprotected data doesn't simply include usernames, email addresses and passwords hints. It also contains people's names, dates of birth, genders and other identifying information, said researcher Chris Vickery. The data has since been secured, he added.

Sanrio confirmed the data had been vulnerable in a statement on Tuesday, and that the company has secured it after investigating the problem. "In addition, new security measures have been applied on the server(s); and we are conducting an internal investigation and security review into this incident," Sanrio said in a written statement. "To the Company's current knowledge, no data was stolen or exposed."

Sanrio said it doesn't create accounts for children under 13. However, the leaked information, which came from users all over the world, appears to include accounts for those under age 18.

It's unclear how much data on children is involved, and this news is eclipsed by last month's hack of user information on more than 6 million of children from toy software company VTech. The discovery of the SanrioTown information shows that it doesn't always take hackers with advanced skills to breach sensitive information, including that of children.

Sanrio didn't immediately respond to a request to confirm the number of records affected by the breach. It also did it respond to another question about whether information from minors was included in the exposed data.

Vickery showed CNET a sample of the records he saw, which includes a list of usernames, scrambled up passwords, first and last names, genders, birth dates and answers to security questions like "What is your favorite food." In the random sample of 15 records, two appeared to be of minors. Sanrio declined to verify whether the data listed in the sample was from its database.

Vickery found the database, he said, while looking for unprotected information on the Internet by searching a website that can find data stored in the cloud.

The security researcher has made a name for himself finding unprotected information on the Internet. Earlier this month, he discovered information for 13 million users of the security app MacKeeper. He also found more than 1 million health insurance records left unsecured by a payment processing company in September.

He spends his days helping computer users as an IT technician, but makes sleuthing out unprotected data his hobby because he thinks too many companies are being "reckless" and "lazy" about keeping user information safe.

What's troubling about the SanrioTown breach is that someone doesn't need advanced hacking skills to find and read the information. To the contrary, it can be found through a website,, which looks for data in the same way Google looks for websites, Vickery said. Finding data takes some digging, he added, but with time and curiosity, anyone with a Web browser can find information like that of SanrioTown.

"It's kind of the whole, 'Oh, it won't happen to me' mentality," Vickery said. That, he said, is why he's talking about it to the press.

Update, 11:50 p.m. PT: Adds statement from Sanrio confirming the data had been unprotected.