Slack Internal Messenger Remained Accessible After Departure
Employee Who Leaked Customer Accounts Left in December Last Year
Possible to Monitor Work Conversations via Slack After Leaving
Signing Key Leak and Weak FDS Exposed in Succession
Coupang, which suffered a leak of personal information affecting 33.7 million customers, is now facing allegations that former employees accessed company information through internal messenger accounts even after leaving the company. This directly contradicts CEO Park Daejun’s statement that “departed employees’ access rights are immediately revoked.”
![[Exclusive] Former Coupang Employee Says "Internal Messenger Account Remained Active After Leaving the Company"](https://cphoto.asiae.co.kr/listimglink/1/2025120109513937624_1764550299.jpg)
A massive personal information leak incident involving over 30 million cases occurred at Coupang. This scale surpasses the economically active population of 29.69 million, making it the worst leak incident in history. Photo by Dongju Yoon, Coupang headquarters on December 1, 2025.
According to The Asia Business Daily’s investigation on December 3, former Coupang employees were able to check meeting details and work-related conversations for several months after leaving the company through their Slack accounts, the company’s internal messenger. Due to the prevalence of remote work at Coupang, much of the work was conducted via Slack. However, since these accounts remained active after resignation, former employees could continue to view their colleagues’ conversations. A former Coupang employee stated, “There were internal security vulnerabilities,” adding, “Some contract workers’ Slack accounts remained active for a considerable period after resignation, allowing them to access work chat rooms and review company communications.”
A Coupang security authentication developer of Chinese nationality, who resigned in December of last year, is alleged to have exfiltrated the personal information of 33.7 million accounts between June 24 and November 8 of this year. This has led to criticism that even the basic procedure of ‘deactivating internal accounts for resigned employees’ was not followed.
In response, CEO Park explained at the emergency current issues inquiry of the National Assembly’s Science, ICT, Broadcasting and Communications Committee the previous day, stating, “Departed employees’ access rights are immediately revoked.” Coupang maintains that the developer did not access the information using a company account or access rights, but rather leaked a core signing key during their employment and later used it to steal customer information.
However, considering that Slack accounts of former employees were indeed maintained for extended periods, there is a possibility that the attacker may have obtained clues to access the internal security system even after resignation.
![[Exclusive] Former Coupang Employee Says "Internal Messenger Account Remained Active After Leaving the Company"](https://cphoto.asiae.co.kr/listimglink/1/2025120210534739802_1764640427.jpg)
Daejun Park, CEO of Coupang (second from right), and Brett Mattis, CISO of Coupang (far right), are attending the current issues inquiry at the plenary meeting of the National Assembly's Science, ICT, Broadcasting and Communications Committee on December 2, 2025. Photo by Hyunmin Kim
Weak Internal Security... The Pitfalls of Remote Work
Given the large number of remote workers at Coupang, there are calls for the company to strengthen online access controls. However, it is pointed out that even basic security procedures were neglected. When customers log in, Coupang issues a kind of ‘access card (token),’ which is verified using the ‘company seal (signing key).’ The attacker used this seal to generate fake tokens externally and gain access to customer accounts. Brett Mattis, Chief Information Security Officer (CISO) of Coupang, also stated at the meeting, “It appears the attacker used IP addresses from various sources to extract data,” and “Since the activity did not exceed our system’s threshold, it seems it was not detected.”
Coupang has a security system called the Fraud Detection System (FDS), which analyzes users’ access patterns, times, IP addresses, and device changes in real time to detect suspicious activity. However, it failed to catch even basic abnormal signs such as unusual access and mass token generation. Kim Seungjoo, professor at Korea University’s Graduate School of Information Security, said,“If the FDS had functioned properly, it could have prevented an insider from accessing the digital signature key and mass-producing authentication tokens in advance,” adding,“I think the anomaly detection system was generally weak.”
![[Exclusive] Former Coupang Employee Says "Internal Messenger Account Remained Active After Leaving the Company"](https://cphoto.asiae.co.kr/listimglink/1/2025120314151241795_1764738912.png)
Unlike typical hacking incidents, the leakage of customer accounts due to poor management of insiders is raising concerns about secondary damages. Assemblyman Kim Jangkyum of the People Power Party pointed out during the current issues inquiry the previous day, “Since the method of intrusion this time did not involve using a company account but rather accessing the system as a Coupang service user, if both IDs and passwords were leaked, isn’t it possible for attackers to access Naver or other e-commerce accounts as well?” Professor Kim responded, “If Coupang’s insider management is inadequate and both IDs and passwords are leaked, such scenarios are indeed possible.”
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
