Government: "Coupang Leaked 33.67 Million Names and Emails... Contact Details and Addresses Also Exposed"

The government has released its first official investigation results on Coupang's large-scale personal data breach. It was confirmed that 33.67 million items of personal information, including the names and email addresses of Coupang users, were leaked. In the process, pages containing contact information, delivery addresses, shared entrance passwords, and lists of ordered products were exposed to the attacker. It was also confirmed that Coupang delayed reporting the incident and violated a data preservation order.

On the afternoon of Feb. 10, at the Government Complex Seoul in Jongno-gu, Seoul, the Ministry of Science and ICT held a briefing and announced these findings from the joint public-private investigation team on the Coupang breach incident. The team analyzed a total of 25.6 TB of Coupang access logs covering the period from Nov. 29, 2024, to Dec. 31 of last year.

According to the investigation team, in November last year the attacker sent two emails to Coupang claiming to have leaked information from the company. The emails contained some of the data obtained through the breach, including: ▲ names and email addresses from the "Edit My Information" page ▲ names, phone numbers, addresses, and shared entrance passwords from the "Delivery Address List" page ▲ information on products ordered by users from the "Order List" page.

The investigation team found that approximately 33.67 million user records containing names and email addresses from the Edit My Information page were leaked. This figure is similar to the roughly 33.7 million personal data records that Coupang identified and announced in its own investigation in November last year.

Portion of the email the attacker sent to Coupang. Provided by the Ministry of Science and ICT.

In particular, during this process, the attacker viewed the delivery address list page more than 1.48 billion times to exfiltrate information. This figure represents the number of times the attacker accessed the delivery address list page. This page contained names, phone numbers, delivery addresses, and shared entrance passwords that had been de-identified using special characters. The delivery address list page included not only the account holder’s information, but also large amounts of information on third parties such as family members and friends, including their names, phone numbers, and delivery addresses. The delivery address edit page, which included names, phone numbers, delivery addresses, and shared entrance passwords, was also viewed 50,474 times.

In addition, users’ order histories were exposed. The investigation team found that the attacker viewed the order list page, which shows the list of products users recently ordered, 102,682 times. The email the attacker sent to Coupang in November last year also contained information on some customers’ ordered products.

The scale of the breach announced by the investigation team was calculated based on web access logs and other records. The Personal Information Protection Commission will later finalize and announce the precise scope of the personal data breach.

Email sent to Coupang by the attacker. Provided by the Ministry of Science and ICT

During the investigation, the team conducted a comprehensive analysis of Coupang’s web and application (app) access logs and other related materials. It also carried out forensic analysis of the attacker’s PC storage devices (two HDDs and two SSDs) submitted by Coupang, as well as the laptop of a currently employed Coupang developer. In addition, the team reviewed Coupang’s company-wide information security management system.

The attacker was confirmed to be a software (SW) developer who, while employed at Coupang, worked on the design and development of the user authentication system for system failure response and backup, as previously known. The investigation team explained that the attacker exploited an authentication vulnerability in Coupang’s servers, accessed user accounts abnormally without legitimate logins, and exfiltrated information without authorization.

To access Coupang’s management servers, one must log in and obtain a kind of "electronic access pass." Coupang’s gateway server verifies the validity of the issued electronic access pass and allows access to services only if no issues are detected. However, the attacker stole the signing key of the user authentication system he had managed while employed, tampered with the electronic access passes, and thereby bypassed Coupang’s authentication system. After conducting preliminary tests for the full-scale attack, he used an automated web crawling attack tool to leak large volumes of information. In this process, the attacker used a total of 2,313 internet protocol (IP) addresses.

The investigation team found that Coupang had no procedure in place to verify whether electronic access passes had been forged or altered. In addition, when a person in charge of such work leaves the company, the signing key should be renewed so it can no longer be used, but the relevant systems and procedures were inadequate. The team also found that although issuance records should be logged and managed so that signing keys can be controlled systematically, there was no key history management system, making it impossible to detect use of the keys for unauthorized purposes.

Coupang has suffered a massive personal data breach affecting more than 30 million records. This exceeds the economically active population of 29.69 million people and is the worst data breach in history. Photo of Coupang headquarters on December 1, 2025. Photo by Yoon Dongju

Cases of Coupang violating legal requirements were also identified. Under the Information and Communications Network Act, a breach must be reported to the Ministry of Science and ICT or the Korea Internet & Security Agency (KISA) within 24 hours of detection. However, Coupang reported the incident to KISA only two days after it was first reported to the company’s Chief Information Security Officer (CISO).

The company also failed to comply with the government’s data preservation order. To analyze the cause of the breach, the Ministry of Science and ICT ordered data preservation in November last year, but Coupang did not adjust its automatic log retention policy, resulting in about five months of web access logs being deleted. App access logs for the period from May 23 to June 2 last year were also deleted.

The government plans to impose a fine for the delayed reporting of the breach. It has also requested a criminal investigation for Coupang’s failure to comply with the data preservation order.

Based on the investigation team’s findings, the Ministry of Science and ICT plans to require Coupang to submit, within this month, an implementation plan for its recurrence prevention measures. It then plans to review Coupang’s implementation status around June to July. If the implementation review identifies areas requiring improvement, the ministry will order corrective actions.

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.