South Korea government calls Coupang breach involving 33.7 million records worst ever
Sign up now: Get insights on Asia's fast-moving developments
The breach was caused by a former Coupang employee.
PHOTO: THE KOREA HERALD/ASIA NEWS NETWORK
SEOUL – A former Coupang employee accessed tens of millions of user records
The Ministry of Science and ICT on Feb 10 announced findings from a joint public-private investigation. Officials described the case as a major breach targeting the nation’s largest online retailer and pointed to the sheer volume of data compromised.
Over 33.67 million user records, including names and e-mail addresses, were leaked through Coupang’s personal information editing page, according to the ministry.
The company’s delivery address list page was viewed more than 140 million times, exposing names, phone numbers and street addresses. Around 50,000 page views were recorded on a delivery-editing page that included main-door passcodes for shared entrances. The order history page saw about 100,000 accesses.
South Korea’s Personal Information Protection Commission is confirming the final tally of compromised data.
The breach occurred between April and November 2025. At its centre was a former developer who had worked on Coupang’s user authentication system. While employed, the individual obtained a signing key. That key was later used to forge what investigators referred to as an “electronic access badge”, granting access to user accounts without going through normal log-in procedures.
Using automated tools, the attacker scraped large volumes of sensitive data. The abnormal activity continued for months, undetected and uninterrupted.
The investigation pointed to deep flaws in Coupang’s internal credential management. Forged credentials were not subject to verification, and signing keys belonging to former employees were neither revoked nor rotated. Despite their departure, some of those keys continued to be used in system operations. Several developer PCs were also found to have retained signing keys in local storage.
Repeated unauthorised access went unnoticed, and no measures were taken to block the intrusion.
Coupang also violated its legal obligation to report the breach within 24 hours. Instead, the company filed its report nearly two days late, triggering administrative penalties.
In a more serious violation, certain access logs were deleted even after the government had issued a formal order to preserve all related records. That action led to a criminal referral to law enforcement.
The ministry has requested that Coupang submit a plan outlining corrective measures. Depending on its response, a formal corrective order may be issued.
Meanwhile, the data protection watchdog is reviewing the scope of the leak and any legal violations. The police have also launched a separate criminal investigation into the former developer’s actions.
Coupang said personal data – including names, addresses and order histories – had been leaked from about 33.7 million user accounts in late November 2025.
Last week, the company disclosed an additional breach affecting 165,455 accounts. THE KOREA HERALD/ASIA NEWS NETWORK
