[Exclusive] Personal Information of 732,000 Naver Smart Store Sellers Listed for Sale on the Dark Web

Sample file of personal information of former Naver Smart Store sellers uploaded to the dark web market in January this year. It contains their store names, mobile phone numbers, email addresses, dates of birth, and more. (Photo by Dark Web screenshot)

It has been revealed that the personal information of 732,000 sellers from Naver's e-commerce solution, Smart Store, is being traded in file format on the dark web. Following a series of customer data breaches at SK Telecom and global luxury brands such as Dior and Cartier, and with Yes24 being paralyzed by a ransomware attack last week, even Naver, the largest portal site in Korea, can no longer be considered a safe haven for personal information. As personal data continues to be leaked from various sources, there are growing calls for urgent security audits of domestic tech companies.

According to an investigation by Asia Economy on June 17, the personal information of Naver sellers was put up for sale on the dark web around 5 a.m. on January 4 and was circulated until early this month. The leaked data includes not only the Smart Store name, business type, email, and seller’s name, but also personal details such as the seller’s date of birth and mobile phone number.

The dark web is an online space where hackers leak or trade stolen information, accessible only through specific programs or routes. If someone purchases the personal information of 732,000 sellers with malicious intent, it could be used for illegal activities.

A significant portion of the 732,000 Smart Store seller records for sale appear to belong to sellers who have already closed their businesses on Naver. The dark web listing included a sample file containing information on more than 2,000 sellers, which could be viewed without purchasing the entire dataset. Upon review, the store names in the sample file were either not found on Naver Smart Store or displayed a message stating, "This store is no longer in operation."

Regarding the incident, Naver stated, "It is highly likely that this was an external crawling activity targeting seller information that was publicly available on individual Smart Store pages." The company added, "To prevent crawling, we are implementing CAPTCHA, which requires users to enter numbers or letters to verify they are not automated programs, and we are also inserting random numbers or letters into the URLs of web pages containing seller information."

A screen capture of a post on the dark web market showing past seller information from Naver Smart Store. Information of 732,323 people is posted. (Photo by Dark Web screen capture)

Since the information of more than 732,000 sellers, including mobile phone numbers, was collected externally, Naver claims this does not constitute a leak of sensitive personal information. However, there are still questions about how Naver managed the personal information of Smart Store sellers after their businesses closed.

Security experts find it unusual that the file was composed solely of information from businesses that had ceased operations. A security company official, who requested anonymity, commented, "While it is possible that someone collected the information through crawling before the Smart Stores closed, the fact that the file contains only information from businesses that have ceased operations and is organized separately suggests it may not be a simple case of crawling."

A post selling personal information of Naver Smart Store sellers posted on the dark web market includes not only the sellers' dates of birth, which are not disclosed on Smart Store, but also their names, contact numbers, addresses, and emails.

Another expert pointed out, "Although the file does not contain information such as resident registration numbers or passwords, it is dangerous when various pieces of personal information that can identify an individual are combined." He added, "Because it becomes easier to deceive the individual, there is a high risk that this information could be exploited for targeted phishing, smishing, or voice phishing crimes."

Attorney Jeon Sangbeom of Law Firm Logos stated, "According to the Electronic Commerce Act, Naver, as a mail-order brokerage business, is required to provide the operator’s name, phone number, and email to consumers (Article 20, Paragraph 2 of the Electronic Commerce Act and Article 25, Paragraph 2 of its Enforcement Decree), but this only applies while the business is in operation." He continued, "If information retained by Naver after business closure was leaked, it would fall under 'cases where personal information is lost, stolen, or leaked' as defined in Article 28 of the Personal Information Protection Act, and could result in a fine."

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.