The personal details of more than 3 million users of the Hello Kitty website, sanriotown.com, have been exposed over the Web. Most of the affected users are children.
Researcher Chris Vickery discovered the data breach and told Salted Hash and Databreaches.net about the matter.
Specifically, 3.3 million accounts were uncovered online. The data leaked online included personal details such as the user's entire name, unencrypted passwords, email address, birthday, gender, password hints along with their answers and country of origin.
Apart from sanriotown.com, other Hello Kitty-related sites have likewise been illegally penetrated, which include mymelody.com; hellokitty.in.th; hellokitty.com.sg; hellokitty.com and hellokitty.com.my.
Vickery said he already reached out to the owner of Sanrio site and Hello Kitty brand.
In the previous week, the researcher also exposed data breaches involving more than 20 million accounts.
Among the sites and services Vickery said were compromised include OkHello (video chat app), MacKeeper (security vendor for Mac computers), iFit (fitness app), Slingo (online gaming website), Vixlet (social network), Hzone (dating app for patients of HIV) and California Virtual Academies (online school network).
Users of the compromised sites should need to modify their login credentials, particularly if they used similar usernames and passwords on critical sites related to their social media, email or online banking accounts.
It is also wise to change related hints and questions and to use the two-factor authentication.
Last month, the Learning Lodge of electronic toy maker VTech was compromised. This was considered as one of the biggest security breaches ever documented.
The hacking incident exposed names, passwords, home addresses and email addresses of close to five million parents and over 200,000 children. Furthermore, the first names, genders and birthdays of their children were hacked.
The VTech customer data in the Learning Lodge app were illegally accessed on Nov. 14, based on the email VTech sent to Motherboard.
"We were not aware of this unauthorized access until you alerted us," told Grace Pang, spokesperson for VTech.
When the VTech hacker was asked about his motive for carrying out the attack, he said "nothing." Moreover, the hacker said that the data were only shared with the website Motherboard.