The luxury platform Must It suffered a customer personal information hacking incident. Must It stated on the 26th, “On the 23rd, we were notified of personal information breach indicators through the Korea Internet & Security Agency (KISA),” and “Our internal inspection confirmed that there were two abnormal access attempts on May 6-14 and June 9.”
According to Must It, a large number of abnormal access attempts to a specific API occurred between May 6-14, and a second attempt was detected on June 9 through the same API path.
The relevant API had a structure that allowed viewing parts of the personal information without separate authentication. Must It said, “Immediately upon identifying the incident, we blocked the relevant vulnerability and completed comprehensive security measures,” and “We reported the incident to the relevant authorities (Personal Information Protection Commission and KISA) as soon as we recognized it.”
The potentially leaked personal information items include membership number, ID, registration date, name, date of birth, gender, mobile phone number, email, address, etc. Information from withdrawn members was not included.
On the Must It website, users can check whether their personal information has been leaked or what leaked items exist. Must It has completed a security inspection of the entire system following the incident.
Work is underway to uniformly reinforce similar vulnerabilities. The API requests to a specific path without authentication have been restricted, and the logging monitoring system for abnormal access has been strengthened.
Must It explained, “The problematic existing API has been discarded, and we replaced it with a new API structure that allows personal information access only for requests that have undergone identity verification,” and “We are expanding this method to all APIs that return personal information.”
It also stated, “We take this incident very seriously, and we will continuously strengthen technical and managerial security measures to better protect our customers' personal information,” adding, “We sincerely apologize once again and will do our utmost to become a trusted platform.”
Earlier, brands such as Dior, Tiffany Korea, and Adidas also suffered customer information leakage incidents.