Sanrio, the Japanese owner of the Hello Kitty brand, on Monday said it was investigating a report that its database was hacked and private information on 3.3 million users was exposed.
The leaked data from the fan site of the Japanese toy company includes information like users' full names, email addresses and encrypted passwords, according to the report by security website CSOonline.com, which cited researcher Chris Vickery.
"The alleged security breach of the SanrioTown site is currently under investigation. Information will be made available once confirmed," said a spokeswoman for Sanrio, best known for its popular Hello Kitty character which emblazons items ranging from stationery to clothing.
It was not clear if the exposed data contained any financial information.
"There is a great potential of finanical data being on these type of sites," said Peter Tran, general manager at network security company RSA, the security division of EMC Corp, adding that there is a possibility of financial information being compromised.
"It could have been a third party that left them vulnerable to be overwhelmed and breached in the way they are now," Tran added.
This is the second major breach of an Asian toy company's database in as many months.
Electronic toymaker VTech Holdings Ltd said in November that it was the victim of a cyber attack that compromised information about customers who access a portal for downloading children's games, books and other educational content.
Vickery could not immediately be reached for comment.