Brinztech Alert: Database and Source Code of Korean Booking Site Cozy Pension on Sale

Dark Web News Analysis: Cozy Pension Data and Source Code for Sale

A comprehensive dataset, reportedly from the Korean hotel and accommodation booking service Cozy Pension (cozypension.co.kr), is being advertised for sale on a hacker forum. The threat actor claims the leak is a complete compromise, containing not just customer information but also admin server data and the website’s underlying PHP source code.

This is a particularly severe type of breach. The customer data alone is highly sensitive, allegedly including:

• Personal Information (IDs, passwords, phone numbers, addresses)
• Bank details
• Detailed reservation and travel information
• Business numbers and other user data

The inclusion of the site’s source code and administrative data elevates the threat significantly, providing attackers with the tools to perpetuate further, more sophisticated attacks.

Key Cybersecurity Insights

This incident goes beyond a standard data leak and represents a full-scale compromise with several critical implications:

• A “Breach-in-a-Box”: The leak of the PHP source code alongside the user database is a “breach-in-a-box.” It provides other malicious actors with a complete blueprint of the application. They can now analyze the code offline to discover new, previously unknown (0-day) vulnerabilities, find hardcoded passwords or API keys, and fully understand the business logic to craft more effective attacks.
• High Risk of Direct Financial Fraud: The explicit mention of customer bank details combined with PII and reservation information creates a direct and immediate threat. Criminals can use this data to attempt financial fraud, commit identity theft, or craft extremely convincing phishing and vishing (voice phishing) scams targeting recent travelers.
• Compromise of Admin Data Enables Deeper Intrusion: The claim of possessing “admin server data” is highly concerning. This could include sensitive configuration files, credentials for other backend services (like cloud hosting or payment gateways), or information that allows an attacker to pivot from the public-facing website into the company’s internal corporate network, potentially leading to a full-scale ransomware attack.
• Physical Security Risks for Travelers: As with any travel-related data breach, the leak of reservation details, names, and contact information poses a tangible physical security risk. Criminals could use this information to target travelers with scams, theft, or other crimes at their accommodation during their stay.

Critical Mitigation Strategies

An urgent and comprehensive response is required from the company, and its customers must be on high alert.

• For Cozy Pension: Assume Full Server Compromise and Investigate: The company must operate under the assumption of a full compromise of its web server, not just a database leak. An immediate and deep forensic investigation (compromise assessment) is necessary to determine the root cause, identify if any backdoors have been planted, and understand the full scope of the data exfiltration.
• For Cozy Pension: Invalidate All Credentials and Notify Customers: Cozy Pension must immediately force a password reset for all customers and internal staff. A clear and transparent notification must be sent to all affected customers, specifically warning them about the severe risks associated with the leak of their PII and banking details.
• For Customers: Monitor Bank Accounts and Change Reused Passwords: Affected customers must immediately begin monitoring their bank accounts for any sign of fraudulent activity. It is also critical for them to change their password on the Cozy Pension site and on any other website where they have reused the same password to prevent widespread account takeovers via credential stuffing.
• For Cozy Pension: Conduct an Urgent Code Review and Security Hardening: With its source code now likely in the hands of attackers, the company is in a race against time. They must conduct an emergency security review of their entire PHP codebase to find and remediate all vulnerabilities, especially any hardcoded secrets, before they can be exploited by new threat actors.

for report this post please contact us: contact@brinztech.com