Notice regarding LINE Creators Market information leakage
2020.12.04
All times are in JST unless noted otherwise
1. Overview
We have detected several private license certificate files uploaded by creators on LINE Creators Market (https://creator.line.me/) had been made accessible to the public from April 17, 2014 to October 31, 2020. We apologize for any inconvenience experienced by our users.
As the files may contain creators' personal information, only the department in charge of reviewing the creators market service should have be allowed access to view them. However, it was possible for any third party with URLs to access files without authentication during the affected time frame.
We also confirmed that the files were collected through a web archive, a service that stores files on the Internet, and were available for access on the internet.
As of October 27, 2020, external access to the files that were accessible on LINE Creators Market has been blocked. We had also made a request to delete the web archive immediately after the incident was discovered, and the deletion was completed as of October 31, 2020.
Following an investigation we found that there were no available records before March 2016. For this reason, we are unable to provide an accurate explanation on whether there was any external access to the files before that period and how the damage occurred.
We have already identified rights images and notified users whose information have been leaked due to external access, but we would also like to notify and express our sincere regret over this incident.
We take the protection of personal information very seriously and are taking proactive measures to prevent this issue from reoccurring.
For inquiries regarding this matter, please contact us using the below form.
2. Incident Assessment
Duration: April 17, 2014 to October 31, 2020
Access confirmed outside the log retention period (from April 17, 2014 to March 2016): Unknown
Access confirmed within the log retention period (as of March 2016):
Confirmed external access: 83 cases
Estimate by access and logs as a part of our review process but does not lead to an accurate assertion: 2,048 cases(*1)
File contents and possible information:
File attachment function is provided for creators to upload a license certificate file which proves the permission of copyright and portrait rights when applying for review of stickers (theme, emoji) on LINE Creators Market.
This function also includes files that are exchanged with creators during the review process. These files may contain personal information such as names and addresses of individuals submitted upon registration as creators.
Cause of incident:
Insufficient network authentication control over the server storing the files is the direct cause of the information leakage. We estimate that the URL of the files leaked this time was random and sufficient in length that it was difficult for a third party to access it by making assumptions.
We continue to investigate but we believe that the leakage of URL of the files led to the increased number of external access to the web archive. We intend to update this notice once the cause of this incident is identified.
Our response:
Regarding access control over the server storing the leaked files, we have blocked access from the Internet as of October 27, 2020. Regarding our response to the cause of the URL leakage, we will take action as soon as the cause is identified.
Note:
Of the accesses recorded within the log retention period (as of March 2016), 83 users and creators who confirmed access from external are individually notified and explained of the incident.
Regarding the access to the web archive, it cannot be confirmed on our end that the exact number is unknown. As stated in the overview, we have already requested the deletion of this service from LINE Creators Market, and we have also confirmed it has been deleted.
(*1) Based on the access log to the relevant files, we estimate that the review work is done by the User Agent used for access, the refer that indicates the web transition when accessing and other factors.
3. Correspondence in chronological order
October 27, 2020, 00:59: Received a report about the incident from a participant of LINE Security Bug Bounty Program. After the investigation, blocked access to the files at 10:42 on the same day, made a deletion request to the web archive at 10:57.
October 30, 2020, 19:23: Notification sent to users and creators who are believed to have been affected based on the initial investigation
October 31, 2020, 12:22: Confirmed the files were removed from the web archive
November 5, 2020, 18:06: More impacts were confirmed by additional investigation of access logs
November 12, 2020, 18:43: Notification about the web archive deletion and investigation status sent to users and creators who have been notified of this incident on October 31, 2020(*2)
November 20, 2020, 15:48: Notification sent to users and creators who were found to have been affected based on additional investigation conducted on November 5, 2020
November 20, 2020, 17:00: Notification posted
(*2) We are unable to notify four users and creators of the incident due to the deletion of the corresponding sticker application.
4. Update history
December 4, 2020: Notification posted in English
5. Inquiries regarding this matter
For inquiries regading this matter please contact us via the form below.