LY Corporation and NAVER Cloud: LY Corp Discloses LINE GAME Identifier Leak Affecting 6.1 Million Over Four Years

LY Corporation and NAVER Cloud: LY Corp Discloses LINE GAME Identifier Leak Affecting 6.1 Million Over Four Years

LY Corporation Discloses 4-Year Data Exposure Affecting 6.1 Million LINE GAME Users

LY Corporation, operator of Japan’s dominant messaging platform LINE, revealed on July 13, 2026, that a misconfigured advertising analytics tool had silently transmitted internal user identifiers from three LINE GAME titles to a third-party partner for nearly four years. The exposure, discovered internally on April 1, 2026, affected approximately 6.1 million unique users across LINE PokoPoko, LINE Pokopang Town, and LINE Pokopang the latter of which ceased operations in June 2025, over a year before the public disclosure.

The incident stemmed from a May 25, 2022, configuration change by the partner company, which inadvertently enabled the tool to receive an internal user identifier a random character string used to distinguish accounts alongside ad performance data. Neither LY Corp nor the partner audited the tool’s settings before or after the change, allowing the identifier to transmit with every user session for 1,409 days. In total, 7.1 million records were sent: 5.47 million from LINE PokoPoko, 790,000 from LINE Pokopang Town, and 840,000 from LINE Pokopang. Of these, 930,000 records belonged to guest users, whose identifiers could not be linked to individual accounts.

LY Corp emphasized that the exposed identifiers were not "personal data" under Japan’s Act on the Protection of Personal Information (APPI), as they lacked direct identifiers like names or contact details. However, the company did not address whether the partner’s analytics tool retained behavioral data (e.g., session times, ad interactions) alongside the identifiers a combination that could enable audience segmentation or re-identification at scale. The partner confirmed deletion of the transmitted identifiers, but LY Corp’s disclosure did not clarify whether associated behavioral data was also purged.

The incident highlights a recurring vulnerability in mobile gaming: misconfigured third-party SDKs. Research cited by the International Association of Privacy Professionals notes that gaming apps embed an average of 17.5 SDKs, with analytics and advertising tools being the most prevalent. LY Corp’s own "User Privacy First" governance framework was intended to include audits of outgoing data flows, but the 2022 configuration change evaded detection until April 2026.

The 103-day delay between discovery and public disclosure raises questions about compliance with Japan’s amended APPI, which mandates preliminary breach reports to the Personal Information Protection Commission (PPC) within three to five days for incidents affecting over 1,000 individuals. LY Corp has not confirmed whether it filed such a report, citing the identifiers’ non-personal nature as a potential exemption. Notably, the company remains under active PPC monitoring following a 2023 breach involving malware at a NAVER Cloud subcontractor, which exposed data of 440,000 individuals and prompted regulatory corrective actions. The LINE GAME misconfiguration originated in May 2022 before the 2023 breach and persisted throughout LY Corp’s ongoing remediation efforts, which are projected to continue through December 2026.

LY Corp stated that no unauthorized use of the identifiers has been detected and that affected users are being notified individually. While the immediate risk is deemed low, the incident underscores the privacy risks of persistent identifiers in ad analytics tools, even when stripped of traditional personal data.

Source: https://www.techtimes.com/articles/320434/20260714/ly-corp-discloses-line-game-identifier-leak-affecting-61-million-over-four-years.htm

LY Corporation TPRM report: https://www.rankiteo.com/company/lycorpjp

NAVER Cloud TPRM report: https://www.rankiteo.com/company/naver

"id": "lycnav1784047058",
"linkid": "lycorpjp, naver",
"type": "Breach",
"date": "7/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': '6.1 million unique users',
                        'industry': 'Technology, Messaging & Gaming',
                        'location': 'Japan',
                        'name': 'LY Corporation (LINE GAME users)',
                        'type': 'Corporation'}],
 'attack_vector': 'Misconfigured Third-Party Tool',
 'customer_advisories': 'Affected users notified individually',
 'data_breach': {'number_of_records_exposed': '7.1 million',
                 'personally_identifiable_information': 'No (identifiers '
                                                        'lacked direct '
                                                        'personal data like '
                                                        'names or contact '
                                                        'details)',
                 'sensitivity_of_data': 'Low (not classified as personal data '
                                        'under APPI, but could enable audience '
                                        'segmentation)',
                 'type_of_data_compromised': 'Internal user identifiers '
                                             '(random character strings)'},
 'date_detected': '2026-04-01',
 'date_publicly_disclosed': '2026-07-13',
 'description': 'LY Corporation revealed that a misconfigured advertising '
                'analytics tool had silently transmitted internal user '
                'identifiers from three LINE GAME titles to a third-party '
                'partner for nearly four years. The exposure affected '
                'approximately 6.1 million unique users across *LINE '
                'PokoPoko*, *LINE Pokopang Town*, and *LINE Pokopang*. The '
                'incident stemmed from a May 25, 2022, configuration change by '
                'the partner company, which inadvertently enabled the tool to '
                'receive an internal user identifier alongside ad performance '
                'data. Neither LY Corp nor the partner audited the tool’s '
                'settings, allowing the identifier to transmit for 1,409 days.',
 'impact': {'brand_reputation_impact': 'Potential erosion of trust due to '
                                       'recurring incidents',
            'data_compromised': 'Internal user identifiers (7.1 million '
                                'records)',
            'identity_theft_risk': 'Low (identifiers alone not directly '
                                   'linkable to personal data)',
            'legal_liabilities': 'Potential non-compliance with Japan’s APPI',
            'operational_impact': 'Delayed detection and disclosure, '
                                  'regulatory scrutiny',
            'systems_affected': 'LINE GAME titles (*LINE PokoPoko*, *LINE '
                                'Pokopang Town*, *LINE Pokopang*)'},
 'investigation_status': 'Ongoing (remediation projected through December '
                         '2026)',
 'lessons_learned': 'Recurring vulnerability in mobile gaming due to '
                    'misconfigured third-party SDKs; need for stricter audits '
                    'of outgoing data flows and third-party tool '
                    'configurations.',
 'post_incident_analysis': {'corrective_actions': 'Deletion of transmitted '
                                                  'identifiers by partner; '
                                                  'user notifications; ongoing '
                                                  'remediation efforts; '
                                                  'potential enhancements to '
                                                  'governance and audit '
                                                  'processes.',
                            'root_causes': 'Misconfigured third-party '
                                           'advertising analytics tool; lack '
                                           'of audits before/after '
                                           'configuration changes; delayed '
                                           'detection due to oversight gaps in '
                                           'governance framework.'},
 'recommendations': 'Implement regular audits of third-party SDKs and data '
                    'flows; enhance governance frameworks to detect '
                    'configuration changes; improve breach detection and '
                    'disclosure timelines.',
 'references': [{'source': 'International Association of Privacy '
                           'Professionals'}],
 'regulatory_compliance': {'regulations_violated': 'Potential non-compliance '
                                                   'with Japan’s *Act on the '
                                                   'Protection of Personal '
                                                   'Information (APPI)* '
                                                   '(delayed disclosure)',
                           'regulatory_notifications': 'Unconfirmed (potential '
                                                       'exemption due to '
                                                       'non-personal data '
                                                       'classification)'},
 'response': {'communication_strategy': 'Individual user notifications, public '
                                        'disclosure',
              'containment_measures': 'Partner deleted transmitted identifiers',
              'remediation_measures': 'User notifications, ongoing remediation '
                                      'efforts (projected through December '
                                      '2026)',
              'third_party_assistance': 'Partner company confirmed deletion of '
                                        'transmitted identifiers'},
 'title': 'LY Corporation Discloses 4-Year Data Exposure Affecting 6.1 Million '
          'LINE GAME Users',
 'type': 'Data Exposure',
 'vulnerability_exploited': 'Lack of audit and oversight of third-party SDK '
                            'configurations'}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.