back to article Hello Kitty hack exposes 3.3 million users' details, says infosec bod

Up to 3.3 million Hello Kitty users have had their personal data exposed due to a database breach at the brand's online community, a security researcher has discovered. The breach had been discovered online by researcher Chris Vickery who informed security blog Salted Hash. The exposed records …

  1. chivo243 Silver badge

    Different time, different place

    I am glad none of the toys I had as a child didn't have this "membership"

    Who's next Fisher-Price? Is my Fisher-Price phone tapped by default?

    1. Swarthy

      Re: Different time, different place

      I expect Mattel will be the next target, especially with the additional trove provided by NSA Barbie.

    2. Dan 55 Silver badge

      Re: Different time, different place

      Is my Fisher-Price phone tapped by default?

      It's not been proven that Windows Phone 8 uploads private data but there are doubts about Windows Phone 10.

    3. allthecoolshortnamesweretaken

      Re: Is my Fisher-Price phone tapped by default?

      Assume it is.

  2. thomas k


    Good thing I didn't sign up for the Hello, Kitty MMO then.

  3. Anonymous Coward
    Anonymous Coward


    "If someone managed to compromise a child's identity, the fraud might not be detected for years because most parents don't monitor their child's credit record," noted Salted Hash writer Steve Ragan.

    I don't know about your neck of the woods, but around here a child wouldn't have a bank account, an employer, a mortgage, a credit card, any other form of credit, or an electoral roll registration - so zero chance of them having a credit record to monitor.

    1. Dan Paul

      Re: Really?

      I agree Credas, but that doesn't mean that someone would not use the stolen identity of a child to create a credit record that did have those items.

      1. Anonymous Coward
        Anonymous Coward

        Re: Really?

        Play a long game and it's entirely possible that miscreants could have a more solid online personae than the person by the time they got old enough to apply for all those things.

        1. Anonymous Coward
          Anonymous Coward

          Re: Really?

          What are you driving at, moiety? So there's a child called Tracy Timmons, say, and the miscreants find out the child's name and set up a whole load of accounts in the name of Tracy Timmons. Then what? And what is there to link the miscreants' Tracy Timmons with the original Tracy Timmons as opposed to the hundreds of other people, children and adults, who share the same name, and in some cases perhaps the same date of birth? (Address will have changed in the meantime, and names and dates of birth are publicly available anyway.)

  4. Crazy Operations Guy

    Monitor your databases people

    Would it really be that hard to monitor database queries and shut off connections if it requests too many rows or performs too many requests? Such a basic bit of protection would do wonders to prevent breaches like this. No legitimate user is going to request tens of millions of rows of data over several tables, so why is doing so allowed? At best, its a bug in the code that should be fixed that should be blocked and rectified anyway.

    1. Mark 85 Silver badge

      Re: Monitor your databases people

      Go a bit further.. why is an outsider getting access to the databases? Period. If you suddenly notice someone is downloading data, it's too late.

    2. P. Lee Silver badge

      Re: Monitor your databases people

      Assuming the data was pulled from an active db and not from a backup dump.

      You'd also expect canary records and that sort of thing, right? Well, if they cared about security. However, if they got past the hardened web-server defences, I'm guessing the middleware and database bits were easy. Unbreakable they are not. Security in depth? We've heard of it.

      The problem with security is that its difficult (expensive) and tedious. Hello Kitty will suffer for this, but how many firms think it won't happen to them. It appears companies are not willing to learn from others' mistakes.

      I've had to teach my kids not to provide details online and that its ok to lie to websites. False names, ages, addresses, disposable email addresses, that sort of thing. The rule of thumb is, if you wouldn't be happy handing over a sheet of paper with all the requested details on it to a stranger coming out of prison, don't hand it to anyone you don't know, who may well leave it around for an organised crime gang to take.

      1. Anonymous Coward
        Anonymous Coward

        Re: Monitor your databases people

        "The problem with security is that its difficult (expensive) and tedious. Hello Kitty will suffer for this, but how many firms think it won't happen to them. It appears companies are not willing to learn from others' mistakes."

        Realistically, they don't care. Not much anyway.

        I've started giving fake names whenever possible - even if they don't lose your info to a hack, half of them will sell it on (legally or not).

      2. Mark 85 Silver badge

        @P. Lee -- Re: Monitor your databases people

        Hello Kitty will suffer for this, but how many firms think it won't happen to them. It appears companies are not willing to learn from others' mistakes.

        Right there is the crux of the matter and the problem/answer. What do they learn...? Pick one or all: Oh, our insurance covers it? Our customers soon forget about it? There's no penalty for this thing?

  5. Yet Another Anonymous coward Silver badge

    No not really

    >when the information relates to a child it's far worse.

    That's the problem with child labor, kids re-use the server admin password on their hello kitty page

  6. Old Handle

    This calls for seppuku.

  7. spellucci

    Easy Fix

    "The information exposed in the breach includes the first and last names, birth dates, genders, countries of origin, and email addresses for 3.3 million accounts."

    Easy fix: just change your child's birth date.

    1. Yet Another Anonymous coward Silver badge

      Re: Easy Fix

      And their gender

    2. Captain Scarlet Silver badge
      Paris Hilton

      Re: Easy Fix

      Or when signing up put in false date of births (I don't care if it is mandatory my birthday to any site which requires it is 01-01-1900)

  8. Anonymous Coward
    Black Helicopters

    Sorry for being blunt, but...

    I think it is appalling and plain out disgusting that some people would target children and people who are bound not to be very adversed with IT skills in general. There are some lines you shouldn't cross, and this is one of them.

    But on the other hand I also can't help wonder how real this whole thing actually is. From what I can tell so far it's basically the word of one guy. Normally such databases are made online and get spread around quite heavily, but in this case that doesn't seem to be the case.

    What also bothers me a little is when you mention thoughts like these the first you hear is: "but several big news outlets have reported this", as if that has any meaning when it comes to the legitimacy of a story... I know I can be quite the skeptic, but when it comes to commercial issues then the competition can also do very weird things, it's easy to try and ruin a companies reputation like this, especially without even having to provide any proof.

    I mean... This guy ran to the media first and informed the company second. That strikes me as a little bit odd.

  9. Anonymous Coward

    Is it the headline writer's day off?

    "Hello Kitty, Bye Bye Identity"

    "Bye Bye Kitty, 3.3 million user profiles leave "

    etc etc....

  10. Anonymous Coward
    Anonymous Coward


    Does this mean everyone will know I play Hello Kitty Island Adventure?

  11. hoola Silver badge

    How many more...

    There are just so many of these with no immediate impact that we are reaching the point were it is just accepted. A few people rant but that is it. Companies, organisations, Government have all been hit and what? A few paltry fines months or years after the event. There have been so many data sets released that it is fair to say that very few people will have not been affected. More to the point, once the data has been accessed, there is even less control. The problem is that the authorities are incapable of dealing with this effectively because of delays in reporting and lack of effective legislation. They would also have to censure themselves!

    These sorts of breaches should result in an immediate offline of the website with a standard holding page. This should be then followed up with some sort of fine that will have an impact, event if it is held in ESCROW temporarily. The challenge is to make companies report this without getting away with it.

  12. allthecoolshortnamesweretaken

    First they tell us 'Hello Kitty' is NOT a cat, and now this?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021