It’s hard being a parent sometimes as even well-meaning actions such as buying kids toys can take a nasty turn caused by breaches and end up leaving the children exposed and vulnerable. In the last month, kids have been put at risk by hacks and database leaks related to Hello Kitty, Hello Barbie and VTech.

When it comes to toys, some parents opt to buy their children electronic educational toys; yet the VTech hack exposed data of nearly five million parents and over 200,000 records for kids, including thousands of photos of kids and parents as well as chat logs. Well this time it is the Hello Kitty database that has been compromised and leaked to expose the private information of 3.3 million users. Of those, it is unknown how many accounts belong to children.

Hello Kitty hack

The Hello Kitty database from sanriotown.com leaked, leaving 3.3 million Hello Kitty fans at risk. After security researcher Chris Vickery discovered the exposed records, he told CSO’s Steve Ragan:

The records exposed include first and last names, birthday (encoded, but easily reversible Vickery said), gender, country of origin, email addresses, unsalted SHA-1 password hashes, password hint questions, their corresponding answers, and other data points that appear to be website related. Vickery also noted that accounts registered through the fan portals of the following websites were also impacted by this leak: hellokitty.com; hellokitty.com.sg; hellokitty.com.my; hellokitty.in.th; and mymelody.com.

Hello Kitty users should change their passwords. If the compromised password was re-used on any site, then change those to a unique and strong password for each site.

Vickery later told Ragan that three IP addresses exposing user info had been secured as the issue was a misconfigured MongoDB database installation. Less than a week ago, after Chris Vickery warned that over 13 million MacKeeper users had been exposed, Shodan founder John Matherly said he found “684.8 TB of data exposed by publicly accessible MongoDB instances.” It's not unreasonable to expect more leaks to occur.

Instead of admitting the breach, Sanrio – which owns Hello Kitty – told Wired it was investigating the matter and advised users to change their passwords. Wired also noted that the games and community site Sanriotown.com is not the same as the e-commerce site Sanrio.com.

Hacking Hello Barbie

News broke in November that Mattel’s Hello Barbie, the interactive Internet-connected version of Barbie, can be “easily hacked.” Since Barbie “remembers” conversations thanks to the cloud, some kids “confide” in the doll as if it were “a diary.” That should be private and secure, yet security researcher Matt Jakubowski told NBC, that he was able to access Barbie’s system information, Wi-Fi network names to which the doll can connect, account ID information, stored MP3 audio files and even the microphone.

“You can take that information and find out a person’s house or business,” Jakubowski said. “It’s just a matter of time until we are able to replace their servers with ours and have her say anything we want.”

Shortly thereafter, parents claiming Hello Barbie invades kids’ privacy filed a lawsuit; their attorney Michael Kelly told The Daily Beast, “It’s interactive, so if someone hacks into the server they could technically take over and ask questions like ‘Where do you live?’ or ‘Is anybody home?’ You’re not dealing with competent adults, you’re dealing with vulnerable little kids.”

Then the $75 “eavesdropping doll” was crowned the worst toy of the year by the Campaign for a Commerical-Free Childhood. Hello Barbie received 57% of the votes to “win” the black eye of the TOADY (Toys Oppressive And Destructive to Young children) Award. “Hello Barbie was clearly the worst of the worst,” wrote CCFC. “She is the perfect storm of a terrible toy, threatening children's privacy, wellbeing, and creativity.”

Bluebox Labs also reported finding critical security vulnerabilities in the IoT doll before disclosing the bugs to Mattel partner ToyTalk. Those flaws included the Hello Barbie app using an “authentication credential that can be re-used by attackers,” connecting a “mobile device to any unsecured Wi-Fi network” that has Barbie in its name, and releasing the app with “unused code that serves no function but increase the overall attack surface.” On the server side, Bluebox warned that the ToyTalk server domain was vulnerable to the POODLE attack and that client certificate authentication credentials could be “used outside of the by attacks to prove any of the Hello Barbie cloud servers.”

Kim Komando, who previously called Hello Barbie one of the five “must-have tech gifts” this year, now advised parents to dump the high-tech doll and stick with the low-tech Barbie of old. Komando dislikes ToyTalk’s privacy policy and ToyTalk’s “complicated corner of technology.”

Parents, keep doing the best you can to protect your kids. The hacks and leaks that put kids at risk are not likely to stop, but try not to worry and instead enjoy your holidays!