Tom Spring reports:
A cache of data including 3.3 million user credentials belonging to Hello Kitty parent company Sanrio surfaced over the weekend.
The breach was originally reported in December 2015, but at the time Sanrio denied any data was stolen as part of the breach. The breach was tied to a misconfigured MongoDB installation that was discovered by security researcher Chris Vickery.
[…]
On Monday, Vickery told Threatpost that Sanrio claimed that in 2015 that he was the only person to have accessed the database as part of his research. He said that Sanrio, at the time, said there were no additional intruders that may have swiped data from its database.
Read more on ThreatPost.
Since 2015, when DataBreaches.net started collaborating with Vickery and reporting on the exposed databases he finds, he and I have had several chats about how quickly some entities claim that we are the only ones who accessed their databases. This report suggests that some entities may either not conduct thorough audits of their logs before they issue statements to us or worse, that they are intentionally trying to cover up the scope of a leak. Unless, of course, the criminals are so good that they are covering all tracks.
See also Steve Ragan’s coverage, as he broke the story of the leak at the time after Vickery contacted him with his findings. It looks like he’s still waiting for a response from Sanrio to these latest developments.