Massive Data Breach Exposes Sensitive Information of 430,000 Duo Matchmaking Users in South Korea
A major data breach at Duo, South Korea’s largest matchmaking service, has compromised the personal information of 427,464 paying members, exposing highly sensitive details in one of the country’s most significant privacy violations. The incident, which occurred in January 2025, stemmed from a hacked work computer used by an employee handling user data.
The leaked records included names, dates of birth, encrypted resident registration numbers, phone numbers, addresses, and 24 other categories of personal data such as height, weight, marital history, education, religion, family background, employer details, and blood type. Given the nature of matchmaking services, which require extensive profiling, the breach’s scope and sensitivity were particularly severe.
South Korea’s Personal Information Protection Commission (PIPC) fined Duo 1.197 billion won ($880,000 USD) and imposed an additional 13.2 million won ($9,700 USD) penalty for violating the Personal Information Protection Act. Investigators found that Duo failed to implement basic security measures, including:
- No lockout after repeated failed login attempts to its member database.
- Weak encryption algorithms for resident registration numbers and passwords.
- Unlawful collection and storage of resident registration numbers without legal justification.
- Retention of user data beyond the five-year limit stated in its privacy policy, leaving 298,566 outdated records exposed.
Duo also violated reporting requirements, failing to disclose the breach within the legally mandated 72-hour window or notify affected users promptly. The PIPC has ordered the company to publicly disclose the breach, notify impacted individuals, and post the sanctions on its website. Authorities are pursuing the hack’s origin and intend to hold responsible parties accountable.
In a separate case, the PIPC fined KS Korea Employment Information 3.537 billion won ($2.6 million USD) and Geumneung Park Cemetery 54.2 million won ($40,000 USD) for breaches affecting 40,875 and 5,373 individuals, respectively. The incidents highlight ongoing vulnerabilities in South Korea’s data protection landscape.
Source: https://www.donga.com/en/article/all/20260424/6198238/1
Personal Information Protection Commission(PIPC), Republic of Korea cybersecurity rating report: https://www.rankiteo.com/company/personal-information-protection-commission-pipc-republic-of-korea
"id": "PER1776990439",
"linkid": "personal-information-protection-commission-pipc-republic-of-korea",
"type": "Breach",
"date": "1/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '427,464',
'industry': 'Online Dating',
'location': 'South Korea',
'name': 'Duo',
'type': 'Matchmaking Service'}],
'attack_vector': 'Hacked work computer',
'customer_advisories': 'Notification to impacted individuals ordered by PIPC',
'data_breach': {'data_encryption': 'Weak encryption algorithms for resident '
'registration numbers and passwords',
'number_of_records_exposed': '427,464',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Names',
'Dates of birth',
'Encrypted resident registration '
'numbers',
'Phone numbers',
'Addresses',
'Height',
'Weight',
'Marital history',
'Education',
'Religion',
'Family background',
'Employer details',
'Blood type']},
'date_detected': '2025-01',
'description': 'A major data breach at Duo, South Korea’s largest matchmaking '
'service, has compromised the personal information of 427,464 '
'paying members, exposing highly sensitive details in one of '
'the country’s most significant privacy violations. The '
'incident stemmed from a hacked work computer used by an '
'employee handling user data.',
'impact': {'brand_reputation_impact': 'Severe',
'data_compromised': '427,464 records',
'financial_loss': '1.197 billion won ($880,000 USD) in fines',
'identity_theft_risk': 'High',
'legal_liabilities': 'Violation of Personal Information Protection '
'Act',
'systems_affected': 'Member database, work computer handling user '
'data'},
'investigation_status': 'Ongoing (origin of hack being pursued)',
'post_incident_analysis': {'corrective_actions': ['Public disclosure of '
'breach',
'Notification to impacted '
'individuals',
'Posting of sanctions on '
'website'],
'root_causes': ['No lockout after repeated failed '
'login attempts',
'Weak encryption algorithms',
'Unlawful collection and storage '
'of resident registration numbers',
'Retention of outdated records '
'beyond policy limits']},
'references': [{'source': 'Personal Information Protection Commission '
'(PIPC)'}],
'regulatory_compliance': {'fines_imposed': '1.197 billion won ($880,000 USD) '
'+ 13.2 million won ($9,700 USD)',
'regulations_violated': ['Personal Information '
'Protection Act'],
'regulatory_notifications': 'PIPC ordered public '
'disclosure and '
'notification to '
'affected users'},
'response': {'communication_strategy': 'Delayed notification beyond 72-hour '
'legal window',
'remediation_measures': 'Public disclosure of breach, '
'notification to impacted individuals, '
'posting of sanctions on website'},
'title': 'Massive Data Breach Exposes Sensitive Information of 430,000 Duo '
'Matchmaking Users in South Korea',
'type': 'Data Breach',
'vulnerability_exploited': 'No lockout after repeated failed login attempts, '
'weak encryption algorithms, unlawful data '
'collection and storage, retention of outdated '
'records'}