Hello Kitty accounts hacked, 3.3 million users have their details leaked online

Another day, another data breach. This time the victim is sanriotown.com, the official online community for Hello Kitty and another Sanrio characters. Information that includes first and last names, birth dates, countries of origin, gender, and email addresses for 3.3. million accounts - including many that belong to children - have been leaked online.

The information in the leaked database also comes from accounts registered at a number of other Hello Kitty sites, including hellokitty.com, hellokitty.com.sg, hellokitty.com.my, hellokitty.in.th, and mymelody.com.

According to CSO, researcher Chris Vickery discovered the breach. He found "first and last names, birthday [...], gender, country of origin, email addresses, unsalted SHA-1 password hashes, password hint questions, their corresponding answers, and other data points that appear to be website related."

Parents have been advised to change their children's passwords immediately, as well as their own. And, as is always the case in these situations, to alter the passwords on any other sites they use that share the same login credentials.

Vickery found the leak on Saturday and has notified Sanrio, the owner of the Hello Kitty brand, about the breach. He also notified the ISP being used to host the database. Vickery has not said where he discovered the leaked data in order to reduce the risk of more people accessing it. So far, Sanrio has not commented on the hack.

The report says the data was first compromised on November 22, meaning the hackers have been in possession of the information for almost a month. In addition to changing passwords, it's recommended that any adults with accounts on the compromised sites set up some kind of credit monitoring.

Sanrio becomes the second company that makes child-focused products to suffer a data breach in the last month. Children's toy-maker VTech had information on five million customers, including passwords and IP addressess, stolen in November. UK police later arrested a 21-year-old man from Berkshire in connection with the hack.