Advisory regarding unauthorized LINE account logins
2020.02.27
1. Outline
In February 2020, LINE encountered a number of incidents where accounts were accessed without the account owners’ consent or knowledge. LINE has confirmed that over 4000 users’ accounts were compromised. Malicious messages from users’ LINE contacts and suspicious timeline content are some of the activities linked to these incidents.
With the explicit permission of the affected users LINE investigated the incident by analyzing related messaging data. As a result of the investigation we determined that the malicious messages and timeline contents involved in these incidents were not simply spam messages used to persuade users to make online purchases but also phishing attempts to permanently hijack LINE accounts.
LINE is continuing to take proactive actions to prevent those attacks from spreading. However, based on our observations, phishing activities via LINE’s functions and email are increasing, and additional damage is occurring.
Even if a user asking for your LINE account information is your friend or other acquaintance you trust, never give anyone your login details.
This document is a warning for all LINE users. It contains information regarding the current state of those phishing incidents as well as instructions to users who suspect their account could be compromised.
2. Damage assessment
During these incidents, the following types of events were confirmed to have taken place. Upon gaining unauthorized access to a user’s LINE account, the timeline and posting functions were used to send malicious messages and content to other users. Other users, after being exposed to these malicious contents, consequently had their accounts hijacked.
- Cases of unauthorized login (abuse of the content posting function)
- Once an account was compromised, malicious messaging activity and timeline content uploading occurred without the account owner’s knowledge.
- As the accounts were not hijacked, they could still be accessed and used by their legitimate owners.
- Number of affected accounts classified by country and/or area:
Japan: 4,073 Taiwan: 81 Thailand: 2 Other countries: 69
Total: 4,225
- Cases of account hijacking
- Incidents where attackers used phishing to gain access to accounts, bypassing necessary SMS and password authentications.
- The number of account hijacking cases is being investigated.
3. Current response to these incidents
Measures taken by LINE
- In order to prevent these incidents from happening in the future, LINE has implemented a number of technical countermeasures.
- The investigation of these incidents is ongoing.
Announcement to affected users
- 2020-02-24: An announcement made to affected users requesting them to change passwords.
- 2020-02-26: For the users who we could not confirm had changed their password, we performed a remote password reset and notified them of that via LINE official account.
Cautionary announcement to all users (Japanese)
- 2020-02-24: “Be aware of account hijacking” https://twitter.com/LINEjp_official/status/1231781502620274689
- 2020-02-20: Announcement on LINE’s official Twitter account: “Be aware of scams” https://twitter.com/LINEjp_official/status/1230363958374068224
- 2020-02-25: Announcement on LINE’s official Timeline: https://timeline.line.me/post/_dTMGEbP13kJOzP8fbCRx6ax7ZCYxZe2bFiob9tA/1158252245007062614
4. Actions requested to be taken by users
- As stated above, we notified the affected users to change their passwords. However, this is limited to those users we know had their LINE accounts compromised.
- LINE cannot guarantee that the users who have not yet been contacted are uncompromised.
- We ask all LINE users to check their timelines and messaging histories regardless of evidence of unauthorized access.
Confirmed account login without the account owner’s acknowledgement
Notification about an account login taking place
- Upon logging in to LINE’s services or the desktop version of the LINE messenger, the user receives a confirmation message (the official account name is LINE with a badge symbol).
- Upon receiving a login notification, confirm its contents. If you cannot recall logging in recently, change your password immediately.
Messaging activity occurring without the account owner’s acknowledgement
- Change password immediately
- If the “unsend ” function is available, remove the malicious message as a way to prevent spreading
Timeline upload activity occurring without the account owner’s knowledge
- Change password immediately
- To prevent spreading, remove the malicious content from your timeline
Received phishing messages from a LINE contact or noticed suspicious timeline activity
This image is an example of a malicious LINE message
- Report suspicious messages and/or timeline activity (as shown in the image above).
- Do not attempt to open the link included in a suspicious message. Should you click the link, do not insert any of the information requested.
Unable to access LINE account
- Fell victim to a phishing message, entered SMS verification code and was suddenly logged out of a LINE account on a mobile device. Should this happen, it is possible that the account was hijacked
- In the case of a LINE account suddenly becoming inaccessible, use the inquiry form. When prompted for username and password, select “continue without logging in”
- In the case where an account cannot be retrieved and a new account is created users can transfer their LINE stickers and LINE Pay balance to their new account by following the instructions.(See help pages for reference: Unauthorized Logins, LINE Pay: I can't use my account after changing devices)
Keeping your account safe: https://linecorp.com/en/safety/account
5. Incident response timeline (Japan time)
- 2020-02-13: First report of suspicious activity from a LINE user to LINE customer support
- 2020-02-19 – 2020-02-24: LINE implements multiple technical measures as countermeasures
- 2020-02-24: Users recognized as being affected (*1) requested to change their account passwords
- 2020-02-26: We performed a remote password reset and users recognized as being affected (*2) were requested to change their passwords.
- (*1) Users who were classified as affected based on LINE’s investigation and data analysis
- (*2) Users who were classified as affected based on LINE’s investigation and analysis but who did not reset their passwords
6. Report change log
- 2020-02-27: Added a method of responding to account hijacking, corrected response time series (corrected first report from February 16 to 13), English report published
- 2020-02-26: Report published (Japanese version)
7. Inquiries related to these incidents
Inquiry about account abusing or identity fraud (for individual LINE users)
https://contact-cc.line.me/detailId/10092
Affected users who are unable to use their accounts
https://contact-cc.line.me/detailId/11242
Select “Continue without logging in” in the login window.