The Japanese creator of the Hello Kitty character said Wednesday its foreign affiliate has corrected a flaw in the fan website that allegedly exposed private information on 3.3 million account-holders.
A spokesman for Sanrio in Tokyo said the affair was being investigated by the Hong Kong-based company Sanrio Digital, which is 30 percent owned by a Sanrio subsidiary and which independently operates sanriotown.com.
US security website CSO had warned that it had found online a database containing sensitive customer data -- including names, birthdays, email addresses and passwords.
But "the vulnerability has been corrected and investigations are underway", Sanrio Digital said in a statement.
"To our knowledge at this time, no personal information of Sanriotown.com users was stolen or exposed," it said, adding that the vulnerability did not include credit card or other payment information.
The Tokyo spokesman said Sanrio separately operates its own official websites, including online shopping functions, and "has nothing to do with this problem".
Citing researcher Chris Vickery, the US firm said hints for questions which users must answer to retrieve passwords for the website were also exposed.
Another Asian toymaker, Hong Kong's VTech Holdings, said late last month that millions of accounts and children's profiles were exposed in a cyber attack on its database.
Hello Kitty, Japan's global icon of cute, has spawned a multi-billion dollar industry since Sanrio introduced the character in 1974.
It appeared on a coin purse the following year and now features on more than 50,000 products in 130 countries and territories.