A database for sanriotown.com, the official online community for Hello Kitty and other Sanrio characters, has been discovered online by researcher Chris Vickery. The database houses 3.3 million accounts and has ties to a number of other Hello Kitty portals.
The records exposed include first and last names, birthday (encoded, but easily reversible Vickery said), gender, country of origin, email addresses, unsalted SHA-1 password hashes, password hint questions, their corresponding answers, and other data points that appear to be website related.
The earliest logged exposure — the first time anyone accessed this data in the wild in a manner consistent with leaving log entries — was the 22nd of November.
Sanrio, as well as the ISP being used to host the database itself, have all been notified. An automated email from the ISP confirmed that the incident notification was logged, but no further details are available.