A database for Sanrio, the Japanese owner of the Hello Kitty brand, was breached, putting the data of 3.3 million of its users at risk, according to security website CSOonline.com's report.
The leaked data include information such as users' full names, email addresses and encrypted passwords, the website reported, citing security researcher Chris Vickery.
"The alleged security breach of the SanrioTown site is currently under investigation. Information will be made available once confirmed," said a spokeswoman for Sanrio, best known for its popular Hello Kitty character, which adorns items ranging from stationery to clothing.
It was not clear if the exposed data contained any financial information.
"There is a great potential of financial data being on these type of sites," said Peter Tran, general manager at network security company RSA, the security division of EMC Corp., adding that there is a possibility of financial information being compromised.
"It could have been a third party that left them vulnerable to be overwhelmed and breached in the way they are now," Tran added.
This is the second major breach of an Asian toy company's database in as many months.
Electronic toymaker VTech Holdings Ltd. said in November that it was the victim of a cyberattack that compromised information about customers who access a portal for downloading children's games, books and other educational content.
Vickery and Sanrio could not immediately be reached for comment.