[26.02.10] Coupang Breach Exposes 33.67 Million Users, Government to Penalize Security Failures

Coupang Data Breach Affects 33.67 Million Users…148 Million Delivery Records Accessed

📍Government investigation finds authentication vulnerability exploited; fine expected for delayed reporting

A government investigation confirmed that 33.67 million users’ personal information was leaked in a data breach involving a former Coupang employee, with delivery-related personal data accessed 148 million times. Authorities identified the incident as a large-scale cyber intrusion exploiting authentication vulnerabilities and announced administrative actions over poor security management and delayed reporting.

---

🔹 Joint Investigation Confirms Massive Leak
The Ministry of Science and ICT announced preliminary results of a joint public-private investigation on the 10th at the Government Complex Seoul.

Investigators analyzed 25.6TB of Coupang web access logs, totaling 664.2 billion records. They confirmed approximately 33.67 million cases of leaked names and email addresses from the “Edit My Info” page.

The probe included forensic analysis of four storage devices believed to have been used in the attack and a laptop belonging to a current Coupang developer.

🔹 Delivery Addresses and Access Codes Also Viewed
From the “Delivery Address List” page, personal data including names, phone numbers, delivery addresses, and partially masked apartment entrance passwords were accessed about 148 million times.

The information also contained third-party data such as family members and acquaintances who received deliveries, expanding the potential victim scope.

Apartment entrance passwords were accessed about 50,000 times through the “Edit Delivery Address” page, and recent order lists were viewed about 100,000 times.

The investigation did not include an additional 165,000 compromised accounts recently disclosed by Coupang. The Personal Information Protection Commission will later determine the final confirmed scale.

🔹 Attack Method: Automated Exploitation of Authentication Flaw
According to investigators, the Chinese national former employee had designed the user authentication system during employment and discovered a vulnerability in January. After testing it, he began large-scale data exfiltration on April 14 using automated web-crawling tools and continued until November 8.

It has not been confirmed whether the collected data was transferred to an external cloud. He previously emailed Coupang claiming access to over 120 million delivery addresses, 560 million order records, and more than 33 million email addresses.

🔹 Security Management Failures Pointed Out
Authorities stated the attacker accessed user accounts without normal login procedures and that Coupang failed to detect the intrusion for an extended period.

A prior penetration test had already revealed that improperly issued electronic access tokens could be abused in cyberattacks, but the company did not fix the problem.

The government ordered the company to strengthen authentication-key management, abnormal-access monitoring, and periodic security compliance inspections.

🔹 Late Reporting and Deleted Logs
Coupang reported the incident to authorities at 9:35 p.m. on November 19, more than two days after reporting internally to the Chief Information Security Officer at 4 p.m. on November 17, violating the 24-hour reporting rule. A fine is planned.

The ministry also requested a criminal investigation after web access logs for about five months and application access records from May 23 to June 2 were deleted despite a preservation order.

The government will require a prevention plan within this month and inspect implementation by July.

One-line summary : A former employee exploited an authentication flaw, leaking data of 33.67 million Coupang users and accessing delivery records 148 million times.