Details on over three million Hello Kitty customers users have been leaked in the latest major hack to hit a consumer brand.
The leak occurred on a website called Sanriotown.com, an online community for the popular Japanese character Hello Kitty. In total 3.3 million user records have been leaked, according to Chris Vickery, the vulnerability hunter who discovered the much-publicised hack at VTech.
The exposed records include names, email addresses, passwords, birth dates and locations of those registered with the website. Sanrio Co. Ltd is a Japanese firm that designs, licenses and produces products based around pop-culture characters including Hello Kitty.
A number of other domains are also reportedly affected by the data leak, including hellokitty.com, hellokitty.com.sg, hellokitty.com.my, hellokitty.in.th and mymelody.com.
Security news blog Salted Hash, which was contacted by Vickery following his discovery, reported that the leak was down to poor database security, and that two backup servers containing mirrored data were also found online. The earliest logged exposure of the data is 22 November.
Users of any of the affected websites are urged to change their passwords immediately. Any passwords used with other services, such as email and online banking, should now also be updated.
SanrioTown stated on its website that the firm routinely collects a range of details from users.
"The second kind is non-personally identifiable information which includes your IP address, operating system, browser software, ISP, domain type and other numeric codes which identify a computer."
V3 contacted Sanrio for comment, but had received no reply at the time of publication.
Emily Orton, director at UK security firm Darktrace, said the leak was yet another indication that firms must ensure adequate security when handling personal information.
"Companies like Sanrio need to urgently rethink the way that they protect their information and reputation.
"The status quo of security is not good enough anymore. We know that companies face continual threats. Now it is time to do something about it, and bolster internal monitoring systems that work to catch early signs of compromise."
VTech admitted earlier this month that over one million UK parent and child records were compromised in an attack on its servers.
Up to 190GB of private images and a huge cache of personal chat logs between parents and children were among the data stolen. The data included five million customer records covering names, addresses and passwords, alongside roughly 200,000 personal details of children.
A 21-year-old man has since been arrested in relation to the VTech hack on suspicion of "unauthorised access to a computer to facilitate the commission of an offence" and "causing a computer to perform a function to secure/enable unauthorised access to a program/data".
2015 has been a record year for cyber attacks and data breaches, including high-profile hits at JD Wetherspoon, Target and the US Office of Personnel Management.
93 per cent of UK homes and businesses can now use 24Mbps+ broadband
1.9 trillion yen offer by WD-led consortium falls short of Toshiba's demands - but may be accepted anyway
Banking Trojan that 'wreaked havoc' in Europe and the US in 2014 may have absorbed NSA exploits to spread via network security flaws, not just phishing
Leaks in the run-up to Samsung Galaxy Note 8 launch pretty much gave it all away