Ah, nuts. I knew the day would come when it would happen to me. Yesterday, I ran across an npr.org story where Korean social media sites Nate and Cyworld were hacked. I just checked, and I’m one of the 35 million affected. Thankfully, what most people would generally deem “sensitive information” was protected with data encryption, such as that used in AlertBoot.
I guess I’ll have to keep an eye out for phishing attempts in the upcoming months.
What was Stolen
According to the NPR article, the hack originated from China. The hackers made off with the following:
The stolen data included user IDs, passwords, social security numbers, names, mobile phone numbers and email addresses. Nate said the social security numbers and passwords are encrypted so that they are not available for illegal use.
I’ve logged into SK’s (the company that operates Nate and Cyworld) website where they have an breach notification with the details. According to it, the hacked information (or rather, my hacked information) includes:
ID, name, date of birth, email address, sex, blood type, physical address, phone numbers (wireless and landline), encrypted citizen ID number (aka, SSN), and encrypted password.
The hack occurred on July 26, and it was confirmed by SK on July 28. SK maintains that the encryption used in this case is the “highest level of encryption.” I’m hoping that means something like AES-256 or equivalent, the strong encryption for computers that we use over here at AlertBoot.
Aside from the notification, there are warnings about voice phishing and phishing (SPAM). Plus, there are two helpful tools.
One is a link for changing your passwords, with the explanation that if a user’s hacked password was composed of one’s birthdate, cell phone number, or simple number arrangements (I’m guessing something like 1234), it would be better to change them immediately, despite the encrypted nature of the password.
The idea is that the hackers could use the non-encrypted data to figure out the password. For example, if your password is your birth date, the fact that your password is encrypted is quite moot because the hackers have your date of birth.
The other tool is a breach verifier. You type in your name and SSN/Citizen ID and it lets you know whether you were hacked, and what was stolen.
What’s with the Blood Type? Do You Need a DNA Test Before Signing Up or Something?
You might be wondering why my blood type, sex (gender), and SSN, are part of the hacked data. The implication is that it was collected. For the former, it wasn’t, actually. It was provided by me.
In Korea, there is this lore that blood types can predict your personality. It’s actually a Japanese thing. Regardless, it’s a conversation starter. Hence, it is displayed in social media sites, including Facebook, if you’re living in Asia. (And, yeah, I don’t buy it. Some call it a pseudoscience; I take offense at it being linked to science in any way or form.)
As for the SSN, defamation laws are very strict in Korea, so signing up for anything on-line pretty much requires an SSN, in case the authorities have to track one down for trouble one creates on the internet. In fact, signing up for free email accounts required such information. This trend, however, is dying out due to online hacks such as the above one.
Am I Concerned?
Yes, but not overly concerned. I mean, I know what the risks are, and if I take at face value what SK tells me about my data being encrypted, it looks like I’m on the safe side. Unlike others who voice doubt about encryption, I see what encryption can do when it comes to data security every day. It might not be perfect, but the odds of me being safe are very good.
I mean, it could be worse, such as what my boss faced a couple of years back. No encryption on that one.
Related Articles and Sites: