Attempted internal access to fan identities and album purchase histories highlights vulnerabilities in a system relied on by millions of domestic and overseas fans
Joon Choi (right), CEO of Weverse Company, speaks with Reuters correspondent Kim Vinnell during the global forum “Reuters NEXT” held in New York on Dec. 4. (Hybe)
A data breach at Weverse, the global fan platform operated by K-pop powerhouse Hybe, has reignited debate over the transparency of the industry’s opaque fan event lottery systems, after evidence emerged that a platform staffer attempted to manipulate fan signing event results using private user data in November.
The controversy surfaced Friday after leaked messenger conversations began circulating on social media, showing a Weverse employee asking whether it was possible to view applicant identities or exclude specific fans from winner lists. The conversations included references to sensitive personal information, such as how many albums individual fans had purchased — a key factor in determining the likelihood of winning.
Weverse, which claims more than 50 million users worldwide, serves as the official fan platform for top-tier acts such as BTS, Seventeen and NewJeans, while also hosting artists like Blackpink and Aespa from YG Entertainment and SM Entertainment, respectively, through partnerships. The scale of the platform has amplified concerns over the implications of the breach.
In the K-pop industry, access to fan signing events — commonly known as fansigns — is typically granted through a lottery system tied to album purchases. Although officially random, the system has long been criticized for effectively operating as “pay-to-play,” with fans often buying dozens or even hundreds of albums to increase their chances.
This has given rise to the term “fansign cut,” referring to the unofficial minimum number of albums believed to secure a winning slot. Against this backdrop, suspicions that an internal staff member could access personal data and influence outcomes have sparked widespread outrage.
The issue extends well beyond domestic fans. International fans are major participants in video call fansigns, which allow global access regardless of location. Global retail platforms often allocate separate “overseas slots,” where competition can be even fiercer and required purchase volumes higher than for domestic applicants.
Even for offline fan events held in Korea, overseas fans frequently engage in bulk purchases to improve their odds, despite the added burden of international travel if selected. The same purchase-based selection structure also applies to album showcases and small-scale fan meetings across major agencies, including Hybe, YG Entertainment and SM Entertainment.
Because Weverse integrates fan communities with commerce, ticketing and event participation, the platform stores extensive personal and financial information for millions of users worldwide — raising serious concerns about data protection and internal access controls.
One Weverse user whose information appeared in the leaked conversations spoke publicly on X on Friday, describing significant emotional distress.
“I am experiencing considerable stress and anxiety knowing that my real name and fan event participation history were discussed based on a staff member’s personal judgment, unrelated to their official duties,” the user wrote.
While Weverse told the user that its event lottery process is “in principle impossible to manipulate,” the explanation failed to alleviate concerns.
“They keep repeating that the process cannot be altered,” the user said, “but there has been no systemic explanation for how a staffer could estimate and reference my private information, or how internal conversations were captured and leaked externally.”
Hybe said it immediately removed the staff member from their duties, referred the case to a disciplinary committee and is reviewing legal action. However, the company has not disclosed how the data was accessed or what technical vulnerabilities allowed the breach.
“We plan to provide a detailed explanation of the measures taken against the offender to the customer who suffered due to this misconduct,” Hybe said in a statement. “We will strengthen employee training and internal control systems to prevent a recurrence.”
The controversy comes just weeks after Weverse Company CEO Joon Choi appeared at the “Reuters Next” forum in New York, where he described Weverse as a benchmark for the industry’s “superfan” business model and emphasized authenticity as the platform’s core value.
“As technology advances, the value of genuine communication created by people becomes greater,” Choi said at the time — a statement now sharply contrasted by the fallout from the current data breach case.
jaaykim@heraldcorp.com