SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Australia

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Korean office network room unlocked server identity breach scene
#
PAM
#
MFA
#
Phishing

Kyowon, Instagram cases expose APAC identity flaws

Wed, 14th Jan 2026
Author image
By Shannon Williams, News Editor

Keeper Security has linked two recent incidents in Asia-Pacific consumer and enterprise security to recurring weaknesses in identity controls, credential hygiene and privileged access governance.

The comments followed a reported cyberattack on South Korea's Kyowon Group and a separate fix by Instagram for a bug that allowed mass requests for password reset emails.

Kyowon operates across educational publishing, hospitality and lifestyle products. The reported incident disrupted operations after multiple systems went offline, according to accounts of the attack.

South Korea has also seen a string of cyber incidents affecting large consumer and financial brands in recent years, including KT, Coupang and Lotte Card, as well as telecoms businesses.

Kyowon disruption

Takanori Nishiyama, SVP APAC and Japan Country Manager at Keeper Security, said the reported impact on Kyowon underlined how security incidents can spread quickly across large organisations.

"The reported cyber attack on Kyowon Group provides further evidence of how disruptive security incidents can be for large, diversified organisations, particularly when multiple systems are taken offline," said Takanori Nishiyama, SVP APAC and Japan Country Manager, Keeper Security.

Nishiyama said limited public detail about the intrusion still left a clear signal in the operational impact. He pointed to the risks of interconnected environments and the way a single weakness can affect multiple business units.

"While details of the exact nature of the breach remain limited, the operational impact alone highlights a recurring challenge across the APAC region, where a single point of compromise in enterprises that rely on complex, interconnected digital environments can cascade quickly across the business," said Nishiyama.

He said organisations should focus on identity security foundations. He highlighted controls around privileged access, credential hygiene and monitoring of high-risk accounts.

"Incidents like this highlight the importance of implementing strong identity security foundations, including strict control over privileged access, credential hygiene and continuous monitoring of high-risk accounts," said Nishiyama.

Nishiyama also described common attacker approaches during major breaches. He said attackers often succeed through over-provisioned access and reused credentials, rather than novel techniques.

"In many large breaches, attackers are not exploiting novel techniques, but rather taking advantage of excessive access rights, reused credentials and a lack of visibility into privileged activity across critical systems," said Nishiyama.

He said investigations into the Kyowon incident should prompt a review of governance and oversight for access to sensitive systems. He linked the issue to organisations with multiple subsidiaries and large customer bases.

"As investigations continue, this incident should serve as a timely reminder for organisations across the region to reassess how access to sensitive systems is governed, audited and restricted, particularly in environments supporting large customer bases and multiple subsidiaries," said Nishiyama.

Instagram bug

In a separate incident, Instagram addressed a bug that allowed threat actors to generate password reset emails at scale. Threat actors claimed they had scraped and leaked data from more than 17 million accounts. Meta said no breach occurred and told users they could ignore password reset emails they did not request.

Shane Barney, Chief Information Security Officer at Keeper Security, said there was no sign of an active new compromise of Instagram's systems based on what had emerged so far.

"At this stage, there is no evidence to suggest this incident represents a new or active breach of Instagram's systems. The more likely explanation is the circulation of previously scraped or exposed data that has been aggregated and repackaged from multiple sources over time," said Shane Barney, Chief Information Security Officer, Keeper Security.

Barney said the difference between a fresh breach and recycled data still mattered for security teams and users. He said older exposed data can continue to drive attacks when paired with automation and AI targeting.

"That distinction matters. Recycled data continues to fuel real-world attacks long after the original exposure, particularly when combined with automation and AI-driven targeting," said Barney.

He said the main risk for individuals often sits with deception rather than immediate account takeover. He described how threat actors can use exposed identifiers and profile details for phishing and social engineering that imitates security communications.

"For individuals, the primary threat isn't immediate account takeover but targeted deception. Threat actors routinely use exposed usernames, email addresses and profile details to craft highly convincing phishing and social engineering campaigns, often impersonating password reset or security alerts to lure users to fraudulent sites," said Barney.

Barney said individuals should treat unsolicited security emails with scepticism and use distinct, long passwords with multi-factor authentication.

"This makes basic cyber hygiene essential regardless of whether a breach is confirmed. Using unique, long and randomly generated passwords, enabling multi-factor authentication and treating unsolicited security emails with scepticism remain among the most effective defences," said Barney.

Credential risk

Barney said organisations should assume some credentials have already been exposed, regardless of whether the source is a confirmed breach or older scraping. He said attackers often prefer credential-based entry because it can resemble normal user behaviour.

"For organisations, this incident serves as a reminder that attackers prefer to log in rather than break in. Compromised or reused credentials remain one of the most reliable initial access points because they allow threat actors to blend in with legitimate users and evade detection," said Barney.

He said organisations should move away from legacy password policies and focus on continuous verification, access controls and monitoring for anomalous behaviour. He also pointed to privileged access as a priority area for governance and audit.

"That means moving beyond legacy password policies towards a zero-trust model built on continuous verification, strong access controls and monitoring for anomalous behaviour," said Barney.

"Privileged access, in particular, must be tightly governed, audited regularly and protected with phishing-resistant authentication wherever possible. This approach limits the impact of recycled data and reduces the risk of credential-based attacks escalating into a broader compromise," said Barney.

Related stories
Datadog opens DASH 2026, spotlighting AI in production
Rubrik launches Agent Cloud to govern enterprise AI
12Port unveils AI session intelligence for PAM security
DryRun Security adds Andrew Peterson to drive AI shift
Splashtop, Leader partner on secure remote access push

Top stories

Most enterprises unprepared for HPE’s virtualisation reset
Why Australian superannuation funds need to prioritise security for their customers with strong MFA
Milestone chooses Australia to launch 2026 MXD series
CrowdStrike Falcon now available via Microsoft Marketplace
Macquarie boosts loan to fund Sydney AI data centre