no longer So Kawaii! Researcher reports more than 3M hiya Kitty enthusiasts exposed In knowledge Breach

An Austin security researcher says greater than 3 million accounts on Sanrio sites were exposed to the net by an insecure database.

December 21, 2015 

data on greater than three million users of HelloKitty.com and different sites associated to the well-liked personality was once uncovered to the internet via an insecure database, Austin-based totally safety researcher Chris Vickery said this weekend.

Vickery, who has lately uncovered hundreds of thousands of debts’ value of doubtless sensitive consumer data saved in publicly obtainable databases at insurance claim administration instrument firm Systema tool, safety instrument maker Kromtech, and HIV-positive courting app Hzone, says the database comprises users’ names, emails, encoded birthdates, passwords, and different information.

He says he found out the cache of hello Kitty information via Shodan, a search engine for internet-enabled units which is well-liked by hackers and safety researchers for its index of overtly obtainable information rather than abnormal internet sites. The database got here up in a search for publicly obtainable databases created with the favored MongoDB platform, he says. while it wasn’t labeled as belonging to Sanrio, the corporate in the back of hey Kitty, its ties to the hiya Kitty sites were obvious from the information, he says.

“The hey Kitty database isn’t marked as whats up Kitty,” he says. “It goes by way of every other identify that I’m now not sharing right now.”

The database appears to not be available, he says.

“The alleged security breach of the SanrioTown website online is at present under investigation,” the company mentioned in a commentary Monday afternoon, relating to an official forum site stated to be concerned within the breach. “data shall be made on hand once demonstrated.”

Shodan cofounder John Matherly wrote closing week in a weblog post that the search engine indexed greater than 35,000 publicly available MongoDB instances, warning that many is also unintentionally available thanks to misconfigured servers. and customary instruments make having access to those databases virtually as simple as opening a Google spreadsheet.

Vickery says he has stated roughly two dozen vulnerable sites to their homeowners this year, including a database at Kromtech that uncovered information on roughly 13 million users of its safety software MacKeeper. if that’s the case, Kromtech stated there was no signal the information was once accessed by using any individual beside Vickery, but Vickery says he normally assumes he’s now not the only one ready to seek out such inclined databases.

“My theory is that in all these cases it has been compromised, and the companies just aren’t gazing logs or aren’t keen to confess it,” he says. “If I’m coming throughout it, i am lovely certain any person else is coming throughout it.”

in the present breach, he advises howdy Kitty lovers to vary their passwords any place they may have used the identical credentials.

“if you’ve reused that password, alternate it any place else you’ve used it,” he says.

although the passwords were saved in encrypted type, they might still potentially be cracked with the aid of decided hackers. though, as the leak indicates, it is clear a number of private information is offered with out a password in any respect—one thing privacy advocates say wants to alter.

“i think at this level, it would be acceptable for federal regulators who put in force data safety to issue guidances or information releases that even more companies and entities would possibly see and act upon to steady their databases,” wrote the anonymous editor of DataBreaches.web, which has labored to publicize many of Vickery’s discoveries, in an e-mail to quick company. “until then, which you could reasonably are expecting that Chris will simply maintain discovering these leaks and turning them over to the media, and that entities will incur the costs of incident response and hits to their reputation.”

[picture: Flickr consumer Jonathan Petit]

fast firm , learn Full Story

(25)