A former Coupang employee exploited internal authentication keys to access tens of millions of user records over a seven-month period, in what the Korean government has classified as the most significant data breach in the nation’s e-commerce history.
The Ministry of Science and ICT revealed the findings of a joint government and private sector investigation on Tuesday. Officials highlighted the incident as a major security failure targeting South Korea’s largest online retailer, emphasizing the substantial volume of compromised data.
According to the ministry, over 33.67 million user records, encompassing names and email addresses, were exposed through Coupang’s personal information editing page. The company’s delivery address list page was accessed more than 140 million times, potentially revealing names, phone numbers, and home addresses. Approximately 50,000 views were recorded on a delivery-editing page, exposing main-door passcodes for shared entrances. The order history page experienced roughly 100,000 accesses.
The Personal Information Protection Commission is currently finalizing the assessment of the total compromised data.
The data breach occurred between April and November of the previous year. At the heart of the incident was a former developer who had previously worked on Coupang’s user authentication system. During their employment, the individual obtained a signing key, which was subsequently used to forge what investigators termed an “electronic access badge.” This fraudulent badge granted unauthorized access to user accounts, bypassing standard login procedures.
The attacker employed automated tools to scrape significant amounts of sensitive information. This unauthorized activity persisted for several months without detection or intervention.
The investigation uncovered significant vulnerabilities in Coupang’s internal credential management protocols. Forged credentials were not subject to sufficient verification, and signing keys belonging to former employees were neither revoked nor updated. Despite their departure, some of these keys continued to be active within system operations. Furthermore, signing keys were found stored locally on several developer PCs.
Repeated unauthorized access went unnoticed, and no measures were implemented to prevent the intrusion.
Coupang also failed to meet its legal obligation to report the data breach within the mandated 24-hour timeframe. The company submitted its report nearly two days late, resulting in administrative penalties. Adding to the severity, certain access logs were deleted even after the government issued a formal order to preserve all related records, leading to a criminal referral to law enforcement.
The Ministry has directed Coupang to submit a plan detailing the corrective actions it will take. Based on the company’s response, a formal corrective order may be issued. Concurrently, the data protection agency is reviewing the extent of the data leak and potential legal violations. The police have also initiated a separate criminal investigation into the former developer’s actions.
Coupang stated that personal data — including names, addresses, and order histories — from approximately 33.7 million user accounts were leaked in late November. Last week, the company reported an additional breach impacting 165,455 accounts.
yeeun
