January 14, 2017
Update to security advisory from December 22, 2015
Sanrio Digital recently received evidence that a 2015 data breach of the SanrioTown web site involved some user data theft. Please note that this is an update about the 2015 incident, and not an existing vulnerability.
On December 22, 2015, Sanrio Digital issued a security advisory stating that personal information belonging to members of the consumer website SanrioTown.com was made publicly accessible by a security vulnerability. The vulnerability was corrected and SanrioTown users were notified of the problem (see: http://sanriodigital.com/story/security-advisory).
At the time, we had no evidence of data theft, however we have now learned from reporter Steve Ragan of CSO Online that personal information of SanrioTown.com users was stolen during the 2015 data breach. According to Mr Ragan, a database containing information of 3,345,168 SanrioTown users has been circulating since the time of the incident. He received the sample records from LeakedSource containing information of 30 SanrioTown users. We have verified that these sample records appear to be real. We cannot, however, relate the source of such sample records to the 2015 data breach and we are unable to verify whether the database of LeakedSource contains information of 3,345,168 SanrioTown users stolen during the 2015 SanrioTown data breach.
These stolen data do not include credit card information or other payment information. Users’ passwords are encrypted with the cryptographic hash function SHA-1.
Membership data of SanrioTown are not shared with other Sanrio services or websites (such as Sanrio.com), therefore other Sanrio services were not affected.
Starting on December 22, 2015, SanrioTown and Sanrio Digital notified users about the incident, advising them to change their passwords. Media were also notified.
Detailed Information of the 2015 data breach
1. Personal user information stolen:
First and last name
Password (encrypted using SHA-1 hashes)
Password hint questions
2. Number of users affected
Potentially 3,345,168 SanrioTown accounts as reported by Steve Ragan, based on information provided by LeakedSource.
Owing to server misconfiguration, some personal information of SanrioTown.com members was visible to people actively seeking it.
The vulnerability was corrected and SanrioTown users were notified starting on December 22, 2015. Sanrio Digital advised SanrioTown users to change their passwords on SanrioTown as well as passwords on other online services and accounts if they used similar passwords or hint questions.
5. Preventive measures
Sanrio Digital installed additional security mechanisms on SanrioTown servers and instituted additional periodic security reviews.
Please contact Sanrio Digital at firstname.lastname@example.org
Media inquiries only:
Mark Leeper (on behalf of Sanrio Digital)
Matrix Communications Limited
Tel: +852 9142-1510