A major domestic video platform with millions of subscribers has seen personal information leak out in one fell swoop. Beyond viewing histories, even core information used to identify users appears to have been exposed, raising concerns about secondary damage.
TVING said in a notice on its website on the 3rd that it had confirmed signs of personal information from members being leaked outside the company. “On June 2, unauthorized access was made to the database (DB) that stores users’ personal information,” the company said. “It has been confirmed that an unidentified hacker accessed the DB containing personal information and transferred the data files outside.”
◆ What was exposed
The leaked information includes IDs, names, dates of birth, gender, and even CI and DI, which are used for identity verification. CI is a unique number that replaces a resident registration number and identifies the same person across multiple sites, while DI is a value used to prevent duplicate sign-ups within a specific site. Once assigned, these values are not easy to change, making them more dangerous than a leaked phone number or email address.
Some items were encrypted. For mobile phone numbers, only the last four digits were encrypted, and for email addresses, the front part excluding the domain was encrypted. Refund account numbers were also encrypted. Passwords were protected using one-way encryption, which makes it difficult to restore the original value. However, encryption does not completely guarantee safety. Even items exposed as they are, such as names, dates of birth, and gender, can be enough to enable sophisticated impersonation.
When this information is combined, the danger multiplies. Fake notices or calls made by combining a real name, date of birth, and contact information become much more convincing. They become material that can raise the success rate of voice phishing and smishing.
◆ Reused passwords are even more dangerous
What must be watched most closely in this incident is password reuse. Even if one-way encryption was applied, the situation is different if the same ID and password are used on other sites as well.
That is because it is common for attackers to take account information leaked from one place and try it against other sites in bulk to break in. This is why TVING urged users to change the passwords for TVING and other services that use the same account information.
Immediately after becoming aware of the leak, the company began responding. It blocked access from the attacker’s IP address, changed cloud access control policies, and strengthened monitoring of DB access. It is also running customer support to help with damage relief, alongside security checks to prevent further spread of harm.
It has also gone through reporting procedures. TVING said, “After determining the situation, we promptly reported it to KISA (Korea Internet & Security Agency) and the Personal Information Protection Commission, and a joint investigation is now under way,” adding, “We will faithfully cooperate with government and related agency investigations and do our utmost to come up with measures to prevent recurrence.”
A company official said, “We sincerely apologize for causing concern to our customers,” adding, “We will transparently disclose any facts that are confirmed.”
◆ What users should do now
Experts advise users who have been notified of the leak not to delay. Changing the TVING password is basic, and it is also safer to change the passwords of other sites where the same password was used.
Links in text messages or emails from uncertain sources should not be clicked, and caution is also needed with calls from financial institutions or organizations claiming to be you.
Personal information leaks at platform companies are no longer unusual. As the number of subscribers grows and the amount of data handled increases, the frequency of attacks also rises.
The key question is whether this incident will end as a one-off apology and security review, or whether it will lead to structural improvements such as minimizing stored information and tightly managing access rights. The joint investigation results and follow-up measures are expected to become that turning point.