Hello Kitty, Bye Bye Data: 3.3 million users at risk after SanrioTown breach
Is nothing sacred? The answer, it seems, is no. Not even Hello Kitty. A database containing the details of 3.3 million accounts from SanrioTown.com, the official online community for Sanrio and Hello Kitty fans, has been discovered online.
“The database contains everything an enterprising data thief could possibly ask for.”
According to the report over at Salted Hash, the database contains users’ full names, birth date, gender, country of origin, email addresses, password hint questions and their corresponding answers, as well unsalted SHA-1 password hashes. Basically, everything an enterprising data thief could possibly ask for.
The discovery was made by security researcher Chris Vickery. But this isn’t the first time he’s found exposed databases just waiting to be looted. In recent weeks, Vickery and others have brought to light a vast amount of exposed data – there are tens of thousands of databases at risk. One recent high-profile case revealed by Vickery saw MacKeeper‘s database of 13 million customers – all 21 gigabytes of it – left exposed.
These databases have one thing in common: they’re all exposed via the Shodan search engine, a tool that allows users to search for specific types of computers attached to the internet, such as servers, routers, or even more esoteric devices such as home heating systems, security systems and traffic lights.
The founder of Shodan, John Matherly, recently discovered no less than 35,000 publicly accessible databases – all using MongoDB database software – which collectively exposed 684.8 terabytes of data.
In his blog, Matherly makes clear that this issue isn’t unique to MongoDB, but is instead largely due to user error. In fact, the newer versions of MongoDB close the potential security hole by default, but apparently users are actively changing the default configuration to one that is less secure.
Oops. Well, unsurprisingly, it turns out that Hello Kitty is much, much better at being cute than securing database servers.