Pierluigi Paganini
January 10, 2017
The security researcher Chris Vickery discovered a Sanrio database that was misconfigured and exposed to the public in 2015.
On December 2015, Vickery reported the discovery to Databreaches.net and Salted Hash.
According to Vickery not only the primary database sanriotown.com was affected, the fan portals of the following websites were also impacted by the leak:
The expert noticed that 186,261 of the records belonged to Sanrio users under the age of 18.
At the time of its discovery, Sanrio explained that it doesn’t believe the data was stolen. Now the same MongoDB database has surfaced online and the 3.3 million records put Hello Kitty fans at risk.
During the weekend, the data breach notification service LeakedSource confirmed that a Sanrio database containing 3,345,168 million users has surfaced online.
The records contained in the leaked database include first and last names, gender, encoded birthday (easily reversible), country, email addresses, SHA-1 hash passwords, password hint questions with corresponding answers, and other information.
Vickery confirmed that data available via LeakedSource is identical to what he discovered more than a year ago.
The unique difference between the two databases is a field, dubbed ‘incomeRange,’ in the LeakedSource records that was not present in the original archive. The “incomeRange” attribute comes with values running from 0 to 150, but it is still unclear its meaning.
In March 2016, Chris Vickery has discovered online the database of the Kinoptic iOS app, which was abandoned by developers, with details of over 198,000 users.
A few hours ago I published another post related to cyber attacks against misconfigured MongoDB databases.
