Koo.com Inc. Ordered to Immediately Patch Security Vulnerabilities After Massive Data Breach; CPNG-US Faces Regulatory Penalties

South Korean authorities ordered Koo.com Inc. (CPNG-US) to immediately patch critical security vulnerabilities following a probe linking the company to the nation’s most severe data breach to date. The government alleges these flaws enabled unauthorized access to user accounts, leading to the exfiltration of personal data. According to a report, the breach was traced to a former Koo engineer who exploited identity verification system weaknesses and had access to internal security keys. Attackers accessed user accounts without going through normal login procedures, using forged credentials. The incident spanned from April to November 2025, compromising approximately 33.7 million users. The Science and Information Communication Ministry found Koo failed to detect forged logins and did not rotate critical signing keys in a timely manner, leaving the authentication mechanism vulnerable. It is alleged that Koo did not report the breach within the required 24 hours, violating the Information and Communications Act. The ministry is considering a maximum fine of 30 million won (~$20,600) and is pursuing data preservation orders as part of ongoing investigations by police and the Personal Data Protection Authority. Koo has yet to issue a public response.