• January 2017
    M T W T F S S
    « Sep   Feb »

January 14, 2017
Sanrio Digital

Sanrio Digital recently received evidence that a 2015 data breach of the SanrioTown web site involved some user data theft. Please note that this is an update about the 2015 incident, and not an existing vulnerability.

On December 22, 2015, Sanrio Digital issued a security advisory stating that personal information belonging to members of the consumer website SanrioTown.com was made publicly accessible by a security vulnerability. The vulnerability was corrected and SanrioTown users were notified of the problem (see:  http://sanriodigital.com/story/security-advisory).

At the time, we had no evidence of data theft, however we have now learned from reporter Steve Ragan of CSO Online that personal information of SanrioTown.com users was stolen during the 2015 data breach. According to Mr Ragan, a database containing information of 3,345,168 SanrioTown users has been circulating since the time of the incident. He received the sample records from LeakedSource containing information of 30 SanrioTown users. We have verified that these sample records appear to be real. We cannot, however, relate the source of such sample records to the 2015 data breach and we are unable to verify whether the database of LeakedSource contains information of 3,345,168 SanrioTown users stolen during the 2015 SanrioTown data breach.

These stolen data do not include credit card information or other payment information. Users’ passwords are encrypted with the cryptographic hash function SHA-1.

Membership data of SanrioTown are not shared with other Sanrio services or websites (such as Sanrio.com), therefore other Sanrio services were not affected.

Starting on December 22, 2015, SanrioTown and Sanrio Digital notified users about the incident, advising them to change their passwords. Media were also notified.

 Detailed Information of the 2015 data breach

1.    Personal user information stolen:

First and last name

Birthday (encoded)



Email address

Password (encrypted using SHA-1 hashes)

Password hint questions

2.    Number of users affected

Potentially 3,345,168 SanrioTown accounts as reported by Steve Ragan, based on information provided by LeakedSource.

3.    Circumstances

Owing to server misconfiguration, some personal information of SanrioTown.com members was visible to people actively seeking it.

 4.    Response

The vulnerability was corrected and SanrioTown users were notified starting on