ThreatSTOP Blog

Bah-Humbug: Targeting Children’s Identities During the Holiday Season

Written by threatstopbme | December 22, 2015

Two recent massive breaches appear to be targeting children’s identities—attacks on VTech and Hello Kitty. Stealing the identities of children is not only far more morally egregious than targeting adults, the crimes will likely not be uncovered for many years—no one expects their child’s identity to be stolen, and therefore do not monitor for such activity. It is usually detected when a child matures and seeks to secure credit for a student loan or first auto loan, only to find these credit facilities unavailable at a critical point in young adulthood.

Why children’s identities? Unlike adult identities that may or not be useful due to a certain percentage having low or mid-range credit scores, children’s identities have no history and usually register credit scores good enough to secure credit.

Hello Kitty

According to CSO Online, a database for sanriotown.com, the official online community for Hello Kitty and other Sanrio characters, has been discovered online by researcher Chris Vickery. The database houses 3.3 million accounts and has ties to a number of other Hello Kitty portals.

The records exposed include first and last names, birthday (encoded, but easily reversible Vickery said), gender, country of origin, email addresses, unsalted SHA-1 password hashes, password hint questions, their corresponding answers, and other data points that appear to be website related.

Vickery also noted that accounts registered through the fan portals of the following websites were also impacted by this leak: hellokitty.com; hellokitty.com.sg; hellokitty.com.my; hellokitty.in.th; and mymelody.com.

In addition to the primary sanriotown database, two additional backup servers containing mirrored data were also discovered. The earliest logged exposure of this data is November 22, 2015.

Researchers are actively seeking to get access to the data dump, which has not been made public as of publication.

 VTech:

According to ABC News, “the scope of the VTech cyberattack in November was global. The Hong Kong-based company said its customer database includes people in various countries: the United States, Canada, United Kingdom, Republic of Ireland, France, Germany, Spain, Belgium, the Netherlands, Denmark, Luxembourg, Hong Kong, China, Australia and New Zealand, in addition to various Latin American countries.

VTech said 4,854,209 parent accounts and 6,368,509 related kid profiles were affected by the security breach, after its Learning Lodge store, a portal where customers can download educational content to their child-friendly VTech devices, had been accessed by an unauthorized party Nov. 14.

VTech's customer database includes "general user profile information," according to the company.

That includes a customer's name, email address, password, secret question and answer for retrieving a lost password, IP address, mailing address and download history. In addition, VTech says its “database also stores kids’ information including name, genders and birthdates.”

The information in both of these attacks is adequate to successfully steal the identities of millions and millions of children. Unlike credit card fraud, which is limited to enabling a fraudster to access your account, identity fraud enables a fraudster to take over the identity of an innocent person to open accounts or loans for an auto, home, wireless phone or credit card in the victim's name, and abuse that credit. It often results in massive, delinquent debt linked to the victim’s good name. It is a crime that is difficult to prosecute, and even more difficult for the victim to recover from.