A prolonged lack of management of valid authentication keys for signed access tokens issued to authenticators is believed to be the root cause of over 30 million accounts being exposed externally by ecommerce giant Coupang. Ongoing analysis suggests that these keys could have been exploited even after the responsible employee left the company.
On Nov. 29, Coupang released a statement confirming the unauthorized exposure of personal information from approximately 4,500 accounts on Nov. 18. The company also noted that the breach had been reported to the National Police Agency, the Korea Internet & Security Agency, and the Personal Information Protection Commission. Subsequent investigations, however, revealed that the damage involved approximately 33.7 million accounts.
Leaked information included names, email addresses, shipping address lists, and some order information. Coupang stated that payment information, credit card numbers, and login information were not included. It is believed that unauthorized access occurred via overseas servers starting on June 24, 2025. The company also stated that it is currently cooperating with relevant authorities to investigate the cause of the breach.
The Ministry of Science and ICT, the Seoul Metropolitan Police Agency, and other relevant agencies conducted an on-site investigation after receiving a report of a breach on Nov. 19 and a report of a personal information leak on Nov. 20. The investigation confirmed that the attacker exploited an authentication vulnerability in Coupang’s servers, bypassing the normal login process and leaking customer information.
The government launched a joint public-private investigation team on Nov. 30, and the Personal Information Protection Commission is investigating whether Coupang violated its personal information protection safety measures — access control, access authority management, encryption, etc. As a service with such a high user base that it’s often called the “Amazon of Korea,” Coupang issued a public security notice on Nov. 29 to prevent secondary damage. Furthermore, a three-month period, starting Nov. 30, will be dedicated to strengthening the monitoring of personal information leaks and illegal distribution online.
Meanwhile, Choi Min-hee, Chairwoman of the National Assembly Science, ICT, Broadcasting and Communications Committee, released the results of an analysis of the specific causes of the incident in a press release on Nov. 30. According to information received from Coupang, the company reportedly responded that “the token signing key validity period is often set to 5 to 10 years,” adding that “the rotation period is long and varies greatly depending on the key type.”
Chairman Choi’s side explained this incident using an analogy to an access control system. If the “token” required for login is a single-use access card, the “signature key” is like the authentication stamp used to issue the access card. While access is impossible without the authentication stamp, even with the access card, if the signature key is left unattended for an extended period, it can be subject to continued exploitation.
According to Rep. Choi Min-hee’s office, Coupang’s login system is designed to immediately discard tokens after they are created, but the signature information required for token creation was deleted or not updated when the employee in charge left the company, and was thus exploited by internal employees.
In a press release, Chairman Choi Min-hee stated, “Coupang did not follow the most basic internal security procedure of renewing the signing key,” and “Abandoning a long-term valid authentication key was not simply a deviation by an internal employee, but the result of organizational and structural problems at Coupang that neglected the authentication system.”
Victims of this breach have been notified via email or text message. Related information can also be found on a separate information page.
Coupang CEO Park Dae-joon issued a separate statement on Nov. 30, saying, “We sincerely apologize for causing great inconvenience and concern to the public,” and “Coupang will do its best to prevent further damage by closely cooperating with the joint public-private investigation team including the Ministry of Science and ICT, the Personal Information Protection Commission, the Korea Internet & Security Agency, and the National Police Agency.”
South Korean President Lee Jae Myung this week referenced the data breach at Coupang in calling for increased penalties for corporate negligence in such scenarios. The breach is believed to be the worst in South Korea in over a decade. Bloomberg reports that the breach may be a landmark case for South Korea. It could result in a record fine, potentially up to 1.2 trillion won (US$814M).
The prime suspect is a former Coupang engineer who had worked on authentication systems. The police are investigating whether the former employee acted alone or collaborated with others on the breach.
No Responses