Database Leak Exposes 3.3 Million Hello Kitty Fans (csoonline.com)

← Back to Stories (view on slashdot.org)

Database Leak Exposes 3.3 Million Hello Kitty Fans (csoonline.com)

Posted by samzenpus on Sunday December 20, 2015 @01:15PM from the herding-kitties dept.

itwbennett writes: "A database for sanriotown.com, the official online community for Hello Kitty and other Sanrio characters, has been discovered online by researcher Chris Vickery," writes CSO's Steve Ragan, who was contacted about the leak Saturday evening. The database houses 3.3 million accounts containing records including first and last names, email addresses, unsalted SHA-1 password hashes, password hint questions and their corresponding answers, along with other information. The database also has ties to a number of other Hello Kitty portals.

62 of 92 comments (clear)

Min score:

Reason:

Sort:

Super Happy Security Breach Error Get! by carlhaagen · 2015-12-20 13:25 · Score: 5, Funny

=(^.^)= Kawaiiiii!
1. Re:Super Happy Security Breach Error Get! by Anonymous Coward · 2015-12-20 15:36 · Score: 2, Funny
  
  This is horrible! I'd rather have my Grindr account exposed! Oy! Whatta meesa sayin'?
2. Re:Super Happy Security Breach Error Get! by Tablizer · 2015-12-20 16:28 · Score: 1, Flamebait
  
  Now they can get a life and go out to eat at "Super Lucky Happy Golden Family Noodle House".
  
  --
  Table-ized A.I.
3. Re:Super Happy Security Breach Error Get! by Tablizer · 2015-12-21 04:48 · Score: 1
  
  What's with the zero mod? Is this considered racist? I don't get it. Explanation desired, please.
  Note that Hello Kitty is Japanese, while my joke mostly pokes fun at Chinese restaurant names. (I don't know if and how much Japanese restaurants borrow from that.) But I'm sure US restaurant names have patterns that can be poked fun of also. Mimi's, Arbie's, Charlie's, etc. for example.
  The person I replied to also poked fun at Chinese naming tendencies, but they didn't get mod-slammed.
  
  --
  Table-ized A.I.
The question is by phantomfive · 2015-12-20 13:34 · Score: 2

What website is there with security that can't be penetrated?
Don't consider things online to be safe.

--
"First they came for the slanderers and i said nothing."
1. Re:The question is by Anonymous Coward · 2015-12-20 13:39 · Score: 5, Funny
  
  What website is there with security that can't be penetrated?
  
  I pen-tested a website for a celibacy group and didn't find any holes.
2. Re:The question is by phantomfive · 2015-12-20 14:07 · Score: 1
  
  I do not see how that question makes sense in this context
  
  --
  "First they came for the slanderers and i said nothing."
3. Re:The question is by TWX · 2015-12-20 14:44 · Score: 4, Funny
  
  What website is there with security that can't be penetrated?
  I pen-tested a website for a celibacy group and didn't find any holes.
  Funny that, I penetration-tested a celibacy group and ultimately the group lost all of its membership...
  
  --
  Do not look into laser with remaining eye.
4. Re:The question is by ls671 · 2015-12-20 15:16 · Score: 2
  
  It isn't a virgin group, we are just libertarians.
  John Redcap
  Celibacy group president.
  
  --
  Everything I write is lies, read between the lines.
Oblig. by rmdingler · 2015-12-20 13:34 · Score: 1

Can Has Hashtags.

--
Happiness in intelligent people is the rarest thing I know.
Ernest Hemingway
Less shocking than Hello Kitty not being a cat by buchner.johannes · 2015-12-20 13:36 · Score: 3, Interesting

This is the first leak I have seen where the password hint questions are leaked too. Will be interesting to see how users in the real world link passwords and password hints, and if algorithms can be developed to uncover 99% of all passwords/answers from password hints -- I presume many password hints contain the answer or substantial parts of it (e.g. "pass + 123" = "pass123").

--
NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
1. Re:Less shocking than Hello Kitty not being a cat by Anonymous Coward · 2015-12-20 14:52 · Score: 1
  
  Fun little trick, always pick the hint questions as presented until you've chosen the required amount. Now generate an equal number of random words that you can remember. Those are now your answers in order, and unlike 99% of the password hint questions you can't find the answer with 5 minutes of google (e.g mother's maiden name, high school attended, first pet, etc).
2. Re:Less shocking than Hello Kitty not being a cat by ls671 · 2015-12-20 15:22 · Score: 1
  
  favorite travel destination: school
  first pet name: computing
  mother maiden name: hacking
  etc..
  
  --
  Everything I write is lies, read between the lines.
3. Re:Less shocking than Hello Kitty not being a cat by KGIII · 2015-12-21 07:24 · Score: 1
  
  Can't they hash and salt all of that - including the actual security questions and allow you to make your own hint/questions? It's not like those are called all that frequently so it shouldn't add a bunch of overhead, should it? And, if so, why the hell are we still not doing that?
  
  --
  "So long and thanks for all the fish."
Low-sodium security diet. by geekmux · 2015-12-20 13:41 · Score: 1

"...unsalted SHA-1 password hashes..."
Well, of course they're unsalted. Sodium is bad for Kitty.

"...password hint questions and their corresponding answers..."
Oh holy shit on a popsicle stick, I wonder how many of them aren't about cats...
That was close... by __aaclcg7560 · 2015-12-20 13:47 · Score: 1

Another reason not to buy the Hello Kitty microwave oven at Fry's Electronics.
Slashdotters live in terror... by 93+Escort+Wagon · 2015-12-20 13:59 · Score: 3, Funny

... that their secret may now come out. Oh, well, it could be worse - it could've been a My Little Ponies site.

--
#DeleteChrome
1. Re:Slashdotters live in terror... by R3d+M3rcury · 2015-12-20 14:14 · Score: 5, Funny
  
  I was just going to say, hackers will be taking a page out of Ashley Madison:
  "If you don't want your friends to know of your 'Hello Kitty' purchases, transfer $10,000 to this account in the Bahamas..."
2. Re:Slashdotters live in terror... by kit_triforce · 2015-12-20 14:17 · Score: 1
  
  Join the herd!
  On a side note I discovered the MLP show and community from /. comments!
3. Re:Slashdotters live in terror... by rossz · 2015-12-20 14:41 · Score: 1
  
  Nah. My Little Pony fanbros have no shame.
  
  --
  -- Will program for bandwidth
4. Re:Slashdotters live in terror... by randalware · 2015-12-20 14:44 · Score: 1
  
  We have a hello kitty bathroom decor.
  Inherited it from girlfriend's daughter (it's her house).
  too many other things to spend money on first.
  but now the the shame is too much to bear.
  going to Bed Bath & Beyond for an emergency bathroom make over.
  with a quick stop for some booze at liquor barn...
  your supposed to redecorate bathrooms drunk, right ?
  
  --
  This is my opinion based on what little I know and understand of the rumors and lies Thanks, Randal
5. Re:Slashdotters live in terror... by Zero__Kelvin · 2015-12-20 14:51 · Score: 1
  
  "We have a hello kitty bathroom decor."
  This is what happens when you let big government control your data.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
6. Re:Slashdotters live in terror... by U2xhc2hkb3QgU3Vja3M · 2015-12-20 15:51 · Score: 1
  
  Yellow pony is best pony! (yay!)
7. Re:Slashdotters live in terror... by U2xhc2hkb3QgU3Vja3M · 2015-12-20 15:52 · Score: 1
  
  going to Bed Bath & Beyond for an emergency bathroom make over.
  If someone there happens to sell you a remote, you'll be able to stop that Hello Kitty bathroom from ever happening in the first place.
8. Re:Slashdotters live in terror... by grep+-v+'.*'+* · 2015-12-20 16:21 · Score: 1
  
  "If you don't want your friends to know of your 'Hello Kitty' purchases, transfer $10,000 to this account in the Bahamas..."
  Sorry, there was a language translation error for the original Japanese site. It should have read: Hello Pussy instead.
  
  It was actually Ashley Madison's VR "furry" site. Believe me, $10K to keep your name off that site would be cheap at TWICE the price. ;-)
  
  --
  If the universe is someone's simulation -- does that mean the stars are just stuck pixels?
9. Re:Slashdotters live in terror... by Bite+The+Pillow · 2015-12-20 16:45 · Score: 2
  
  You left out the account number. Please reply ASAP.
  Posting anon for obvious reasons.
10. Re:Slashdotters live in terror... by Krishnoid · 2015-12-20 18:02 · Score: 1
  Sanrio finds sample emails of that sort and buys ads matching the right keywords
  Google serves them up to gmail users when that email is displayed
  End-user chooses whether to spend $10k to maybe keep their secret safe, or "Hello Kitty merch sale, just for leaked email addresses!"
  Profit!
11. Re:Slashdotters live in terror... by R3d+M3rcury · 2015-12-20 19:41 · Score: 1
  
  I gotta admit, when I first saw the phrase, I thought it was a variation of Hello Nurse!
12. Re:Slashdotters live in terror... by drinkypoo · 2015-12-20 23:38 · Score: 1
  
  ... that their secret may now come out. Oh, well, it could be worse - it could've been a My Little Ponies site.
  No, I am a Keroppi fan, I swear!
  Wait, that's not much better, is it?
  ObDisclaimer: I bought crap for my own use at Sanrio well into my twenties. My twenties, alas, have well and truly receded
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
13. Re:Slashdotters live in terror... by Sadiq-Gill · 2015-12-21 04:05 · Score: 1
  
  I wonder it all my "Bad Batz Baru" purchases will be revealed?
  
  --
  Sadiq Gill
14. Re:Slashdotters live in terror... by KGIII · 2015-12-21 07:27 · Score: 1
  
  I'm not clicking that link. I haven't got time for that right now. ;-) It's gotta be Animaniacs. I'm not big on TV but that was awesome and Pinky and the Brain was equally awesome. Yes, yes I did smoke a lot of weed back then.
  
  --
  "So long and thanks for all the fish."
15. Re: Slashdotters live in terror... by KGIII · 2015-12-21 08:28 · Score: 1
  
  I concur! Heh... I have the entirety of Pinky and the Brain, via torrent I think, at my house. I think when everything settles down and the missus and I head up to bed, I'll probably stream it and watch some tonight. I'm in Florida and they *really* frown on weed here so I didn't bring any with me and I won't be going to buy any. There are other things to do, I guess. It is Florida, after all.
  
  --
  "So long and thanks for all the fish."
I have a great idea! by Anonymous Coward · 2015-12-20 14:08 · Score: 5, Insightful

Step 1. Lay off the sysadmin, the DBA, the network admin, and the developer
Step 2. Hire a "full stack developer" and pay him one below-market salary to do 4 peoples' jobs at once
Step 3. ???
Step 4: PROFIT!!!
1. Re:I have a great idea! by KGIII · 2015-12-21 07:34 · Score: 1
  
  you can always say "I only signed up for the kids".
  That can be taken horribly out of context.
  
  --
  "So long and thanks for all the fish."
G.K. by Tablizer · 2015-12-20 14:28 · Score: 1

Goodbye Kitty

--
Table-ized A.I.
God damn it. by PopeRatzo · 2015-12-20 14:36 · Score: 1

Everything happens to me.

--
You are welcome on my lawn.
1. Re:God damn it. by KGIII · 2015-12-21 07:39 · Score: 1
  
  The little missus has Hello Kitty panties and a couple of shirts and a hat. :/ It's already a little awkward going out in public with a g/f that's nearly 40 years my junior (oh, the stares the women give me - the men smile and nod knowingly) but it's a bit more awkward when she's wearing a Hello Kitty fuzzy hat or, now that we're down here, a shirt.
  Ah well... It could be worse. She could be wearing just the hat, shirt, and panties. I'm pretty sure that someone will just shoot me at that point. It is Florida after all.
  
  --
  "So long and thanks for all the fish."
2. Re:God damn it. by PopeRatzo · 2015-12-21 08:57 · Score: 1
  
  It's already a little awkward going out in public with a g/f that's nearly 40 years my junior
  Especially when you're only 48 years old.
  
  --
  You are welcome on my lawn.
3. Re:God damn it. by KGIII · 2015-12-21 09:17 · Score: 1
  
  Heh, we need the pedobear gif that says, "Too old!" I was having an email chat with another /.er and we've concluded that the old ladies hate it and the old men are envious. I imagine that means nothing good can come of it. The Hello Kitty panties were kind of odd for me at first. I wasn't quite sure how to take it but I've adapted just fine. ;-)
  As an aside: Man, Florida is lovely this time of year. It was in the 70s and there were a few small showers. It's dark in Maine and probably about 32 f. at home but probably colder with the wind chill. Hmm... Nope, Google says it's snowing but pretty warm (almost 40 - but the house is up on the mountain) and 20 MPH winds. I was walking on the beach earlier today.
  
  --
  "So long and thanks for all the fish."
This time ISIS has gone TOO FAR!!! by Anonymous Coward · 2015-12-20 14:36 · Score: 2, Funny

Quick Lil'Joe...to the Pentagon!
1,2,3 New round of blackmail as list may be posted by bagboy · 2015-12-20 15:18 · Score: 2

Maybe you lucked out from the Ashley Madison fiasco, but if your name is on this list, exposure may cost you more than you know.
Re:Why oh why? by Bite+The+Pillow · 2015-12-20 16:50 · Score: 1

Belonging is important. Saving money, aka spending fewer dollars on stuff you would not buy at full price, is as euphoric as drugs.
So many other reasons. Give it some thought and come back. I'm sure you can come up with one or two more.
You are in the minority, and it would serve you well to understand a bit about "these people".
Re:Why oh why? by MadMaverick9 · 2015-12-20 18:33 · Score: 1

Belonging is important.
Maybe to you - but not to me.

it would serve you well to understand a bit about "these people".
No! I will not lower myself to that level.

You are in the minority
Thank you! And I am proud of that fact!
Bad by robbiedo · 2015-12-20 19:00 · Score: 1

Bad Badtz Maru...
Re:Why oh why? by MadMaverick9 · 2015-12-20 19:05 · Score: 1

Belonging is important.
You have pointed out one of civilization's biggest problems - besides a few others.
People are afraid.
People are afraid of being alone; afraid of not fitting in; afraid of making decisions for themselves by themselves.
Which is the main reason for "social media" and "amazon reviews", etc.
Re:Why oh why? by BBF_BBF · 2015-12-20 19:28 · Score: 1

Why do people sign up for every website they come across?
This is a website about some japanese cat for crying out loud.
Why do people sign up for something like this? I guess it's the same people who sign up for safeway cards, starbucks cards and other discount cards.
I just don't get it.
You go into the store, you buy the shit you want and you leave. Just leave it at that for crying out loud. What's wrong with these people?
Yeah, why oh why do people sign up for a site like slashdot, especially when one could do it anonymously?
This is a website about "news for geeks" for crying out loud.
Why would MadMaverick9 sign up for something like this? I guess it's the same people who sign up for engadget, arstechnical and reddit.
I just don't get it.
You go to the site and read the articles and leave. Just leave it at that for crying out loud. What's wrong with MadMaverick9?
Funny ol' world by jandersen · 2015-12-20 20:24 · Score: 1

It would probably be more damaging to one's career - certainly as a hard talking politician - to be found on the Hello Kitty fan club's name list, than any revelations about drug taking, sexual deviancy or Communist sympathies. Ant chance that there were names of top terrorists among them?
Password hints by Anonymous Coward · 2015-12-20 20:35 · Score: 1

I always found this "password hint" thing a huge security hole, sacrificing the bit of security there is in a user-chosen password for the benefit of the "service" provider.
For me, the simple password is (for unimportant things) always the result of "pwgen -n 8". My favorite's pet name is the result of "pwgen -n 16", which I write down if my account is in some way important to me (highly unlikely for one having a password hint) -- or which I forget right away.
Lost the password? lost the account. Helps me keeping independent.
Re:Why oh why? by aaarrrgggh · 2015-12-20 20:43 · Score: 1

You had me until Starbucks cards; as a stored value card they are great. The account also has value in being able to pre order your drinks. Everything is relative, but whatever.
Hello Kitty Rainbow Tables by dbIII · 2015-12-20 20:45 · Score: 1

When the mod system came in and AC comments were modded down it was time to sign up. Then when I forgot the password and had the account linked to a previous work address I signed up again. What's your excuse :)

The thing that will suck the most here is a pile of those users will have the same passwords out there on something else.
Script kiddies with Hello Kitty Rainbow Tables - if someone had taken that to an SF editor a while ago it would have been thrown out as too silly and too far fetched - but now it's probably real!
good run, but by Tablizer · 2015-12-20 20:58 · Score: 1

now the poor cat has to go back to her day job.

--
Table-ized A.I.
Could someone expose the Slashdot user database ? by LordHighExecutioner · 2015-12-20 23:11 · Score: 3, Funny

I am so curious to learn who is behind the user name "Anonymous Coward". He is such a prolific, sleepless contributor...
I Have No Mouth, And I Must Yowl by drinkypoo · 2015-12-20 23:40 · Score: 1

I THINK, THEREFORE I'M CUTE

--
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Just from their market alone by laurencetux · 2015-12-21 01:04 · Score: 1

can you imagine the kind of money you can raise tapping a market that 1 Cute 2 has poor impulse control 3 tends to have access to large sums of money? (oh thats right you can just look at the Sanrio tax filings [just remember to account for all the divs])
In the grimdark future of Hello Kitty... by Chris+Mattern · 2015-12-21 04:01 · Score: 1

...there is only war.
Re:I have a great idea! [prevention evaluation] by Tablizer · 2015-12-21 05:04 · Score: 1

Lay off the sysadmin, the DBA, the network admin, and the developer...Hire a "full stack developer" and pay him one below-market...
It's difficult to convince many managers that prevention is worth it. They are probably lied to by vendors and past staff enough such that they only pay for clear-cut and immediate needs rather than hard-to-verify prevention.
A lot of vendors and spinner employees claim crap like, "Oh, you need to purchase/build/install a Flux capacitor to prevent the thibble-bop from overloading and crashing the dookitron." After being burned a couple of times, they don't pay even for legitimate prevention because they cannot tell the difference, and so skip ALL prevention.
It's a problem that plagues many forms of technology and infrastructure, such as building construction, plumbing, car repair, etc. The end user cannot easily verify prevention claims.
Yes, one can google around for advice, but it could take several hours to absorb it, and still require specialized experience to evaluate. Time is money for businesses.
If it's the main line of business (primary source of profit), then managers usually know what to look for. However, if it merely supports the main line of biz, such as retail and character licensing in this case, then they are typically unfamiliar with it and skeptical.

--
Table-ized A.I.
Re:Could someone expose the Slashdot user database by Tablizer · 2015-12-21 05:07 · Score: 1

Spartacus can kick your anonymous ass

--
Table-ized A.I.
Re:PHP by Qzukk · 2015-12-21 05:33 · Score: 1

lacks a standard language-native built-in login system
Have you seen a language that includes it's own native login system?

--
If I have been able to see further than others, it is because I bought a pair of binoculars.
Fuck me by DanJ_UK · 2015-12-21 05:55 · Score: 1

Just imagine, all the possibilities, with this information.

For fucks sakes how did this submission get accepted?

--
- Dan
1. Re:Fuck me by DanJ_UK · 2015-12-22 01:24 · Score: 1
  
  Please, really?
  
  --
  - Dan
Re:Why oh why? by NominalLoss · 2015-12-21 06:28 · Score: 1

To be fair though, nearly all the recent mass shooting were done by despondent loners. I prefer my people buying useless crap and hanging out on Rule 34 then gunning down innocents.
This is more embarrassing... by cfeagans · 2015-12-22 07:13 · Score: 1

... than being on the Ashley Madison list. The Hax0rs have gone too far this time!