S. Korea Authorities Confirm Former Employee Exploited Authentication Flaws in Massive Coupang Data Breach

Sejong, South Korea - The Ministry of Science and ICT said Tuesday that a former Coupang employee exploited vulnerabilities in the company’s authentication system in a data breach that compromised millions of user records.

A joint investigation revealed that a former staff back-end engineer used stolen signing keys to bypass security protocols and access user data between April 14 and November 8, 2025.

The breach exposed 33,673,817 names and email addresses from the e-commerce platform's information modification page.

Records show approximately 148 million unauthorized views of delivery lists containing names, phone numbers, and addresses, and 50,474 views of pages containing shared entrance security codes.

About 102,682 views of order history pages were also documented.

The ministry said the attacker exploited insufficient verification of forged digital passes and Coupang's failure to update signing keys after the employee left.

Forensic analysis confirmed that critical security keys were stored on developer laptops rather than in a secure management system.

The investigation also found that Coupang had identified similar vulnerabilities through earlier mock hacking exercises but failed to implement comprehensive improvements.

Investigators also found that the company failed to separate development and operational environments, allowing developers to access live key management systems.

The government has begun legal proceedings against Coupang for violations of the Information and Communications Network Act.

The company failed to report the incident within the legally required 24 hours, notifying the Korea Internet & Security Agency 53 hours after its chief information security officer recognized the breach.

The company is also accused of violating a data preservation order by deleting about five months of web access logs and application data, which authorities said hindered the investigation.

The ministry has referred the case to prosecutors for potential criminal charges.

The government plans to impose a fine of up to KRW 30 million for the reporting delay and will monitor the company's remedial measures through July.

Coupang must submit a plan to improve its authentication and key management systems by February.

South Korea’s Personal Information Protection Commission is expected to determine the full scope of the data theft and additional penalties.