A database used by Hello Kitty fans has reportedly been found online after servers were hit last month.
As many as 3.3 million records are said to be in the database. It's not immediately clear where the database was leaked to, or if the database can be verified for authenticity.
The breach, first reported by CSO Online, was discovered by security researcher Chris Vickery. Records in the data cache include names, encoded but easily reversible birthdays, gender, security questions and answers, and unsalted passwords using the weak SHA1 algorithm.
Websites including hellokitty.com, hellokitty.com.sg, hellokitty.com.my, hellokitty.in.th, and mymelody.com are said to be affected by the breach.
It's not clear exactly how the data was stolen, but the earliest logged exposure -- according to the publication -- is November 22, a little under a month ago.
The Hello Kitty toy brand has a major sway in far eastern Asian countries, particularly Japan where it was invented. Its parent company Sanrio generates more than $7 billion in revenue from the brand alone.
An email to a Sanrio spokesperson was not immediately returned.
The breach comes at a time where consumers and toymakers aline are increasingly aware of the risks their internet-connected dolls and toys pose not only to users' privacy and corporate security.
Last month, Hong Kong-based toymaker VTech was hit by a major hack, which led to chat logs between parents and children, as well as photos and audio of children, taken by the hacker.
Millions of records were stolen in the attack, which was possible as a result of poor network security by the company. In a statement, the company said the database was "not as secure as it should have been."
British police later arrested a 21-year-old man in connection with the VTech hack.