Data breach exposes 430,000 Duo members

A large-scale data breach has exposed the personal information of roughly 430,000 members at Duo, South Korea’s leading matchmaking service. The leaked records included user IDs and resident registration numbers, as well as sensitive details such as height, weight and education that members had provided while seeking partners.

Personal Information Protection Commission said Wednesday that it fined Duo 1.197 billion won and imposed an additional 13.2 million won penalty for violating the Personal Information Protection Act. The sanctions stem from a January 2025 hacking incident in which a work computer used by an employee handling personal data was compromised, exposing information on 427,464 paying members.

The breached data included names, dates of birth, encrypted resident registration numbers, phone numbers and addresses, along with highly sensitive details such as height, weight, marital history, schools attended, religion, family background, employer and blood type. The commission identified at least 24 categories of compromised data. Given the nature of matchmaking services, which require extensive personal profiles, the breadth and detail of the leak were particularly significant.

Investigators found that Duo had failed to implement basic security safeguards. The company did not block access after repeated failed login attempts to its member database and used weak encryption algorithms to protect resident registration numbers and passwords, leaving its systems vulnerable to intrusion. It also collected and stored resident registration numbers during membership registration without a valid legal basis.

The investigation also found that Duo retained personal data beyond the five-year period stated in its privacy policy. As a result, information belonging to 298,566 users that should have been deleted remained stored and was ultimately exposed.

Duo did not report the breach within the legally required 72-hour window and failed to notify affected users in a timely manner, despite the sensitivity of the compromised data.

The commission ordered Duo to promptly notify affected individuals, disclose details of the breach and post the sanctions on its website. Authorities said they will trace the source of the hack and bring those responsible to justice.

Separately, the commission fined KS Korea Employment Information 3.537 billion won and imposed an additional 4.2 million won penalty after the personal data of 40,875 individuals, including counselors, employees and job applicants, was compromised. It also imposed a 54.2 million won fine on Geumneung Park Cemetery over a breach affecting 5,373 users.


한재희 기자 hee@donga.com