SummaryWe verified the mouse data exposure using the WM_INPUT message handler that obtains the mouse‐inputted data to derive the vulnerability of the image‐based authentication. Consequently, the mouse data were exposed on most of the banking and payment sites of South Korea. Experiment results show that the mouse data are exposed in image‐based authentication in six Internet banking services. Therefore, we proved that the safety of the authentication information is vulnerable even when image‐based authentication is applied. In the future, we will propose an image‐based authentication method to solve the vulnerability found from this paper and derive a set of criteria for the vulnerability analysis of image‐based authentication for the security assessment.