Boryung Corporation, one of the largest healthcare and pharmaceutical firms in South Korea, leaked millions of internal messages, along with thousands of employee records, including emails and encrypted passwords.
-
Boryung Corporation left an unsecured MongoDB instance exposed containing over 8M internal chat messages.
-
The leak compromised 3,500 employee records including full names, corporate emails, and hashed password data.
-
Exposed internal communications may reveal sensitive business discussions, HR topics, and proprietary project management exchanges.
-
The database was accessible on the public internet without required password protection or authentication.
While high-tech companies often go out of their way to protect intellectual property, the same can’t always be said about other sensitive data. For example, the Cybernews research team discovered an exposed MongoDB instance containing millions of chat messages from Boryung Corporation.
The South Korean pharma and healthcare firm is a well-known brand in its home market, and an employer to nearly 1,500 individuals. We have reached out to the company for comment and will update the article once we receive a reply.
According to our team, the exposed MongoDB instance, often used by companies to store large volumes of business data, contained more than eight million internal corporate chat messages from GW's internal Messenger.
GW Messenger is a Korean enterprise messaging system used by various companies. The team believes that this was almost certainly an internal employee communication platform backend accidentally left exposed.
Moreover, alongside leaked chats, the team found nearly 3,500 employee user records.
“This exposure represents a severe corporate security incident, revealing internal communications, organizational structure, device metadata, and identity data that could enable targeted cyberattacks,” our researchers explained.
While the company did not respond to our team’s queries, the exposed database was eventually closed and is no longer available to the public.
What did the Boryung Corporation data leak involve?
The exposed MongoDB was left completely unprotected and required no authorization. Additionally, the database was accessible on the public internet with full read permissions, meaning anyone who discovered it could read its contents.
Broadly, the exposed data can be categorized into three distinct groups. The first one is employee identity data, which involved:
- Full names
- Corporate emails
- Usernames
- Hashed passwords
- Device metadata
The most obvious way attackers could exploit this type of data is identity theft, where attackers impersonate users whose data has been leaked online. However, in this case, malicious actors are far more likely to exploit the data for social engineering purposes.
Malicious actors may have also created their own accounts on the messaging platform to help with social engineering or even changed user passwords for the same purpose
Even though the leaked passwords were hashed, the team believes that motivated attackers could take their sweet time trying to “crack” the hashes offline. If successful, not only could they breach the company’s systems, but hackers could also attempt credential stuffing, as people often recycle the same passwords for several accounts.
Another group of exposed data falls under internal communications as it involved 8 million chat messages that most likely included:
- Business discussions
- HR topics
- Financial communication
- Internal links, documents, or attachments
- Project management exchanges
- Private conversations between employees
Losing this type of information is particularly dangerous as internal company chats hide various business information, which likely includes information that competitors could find very advantageous.
“Internal chat logs often contain URLs, internal IPs, or reference materials that help attackers pivot deeper,” our team explained.
nternal messages could also reveal anything from R&D activity to compliance and regulatory discussions. Malicious actors could also use this information to impersonate staff and build trust, using insights from chat histories.
The third group of information exposed via the unprotected database is system metadata, including:
- Timestamps
- Message channels/groups
- User–channel mappings
- Internal routing identifiers
Our researchers advised the company to immediately rotate all employee passwords and invalidate authentication tokens, as well as to force logout on mobile messenger devices.
“The company should also conduct a digital forensics investigation to determine if the exposed instance was accessed by unauthorized parties,” they explained.
- Leak discovered: December 4th, 2025
- Initial disclosure: December 4th, 2025
- Leak closed: December 5th, 2025
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked