Joint investigation confirms leak of 33.67 million names and email addresses
The attacker viewed the delivery address list page more than 148 million times
Includes names, contact numbers, addresses, and apartment entrance passwords
Order histories were also exposed to the attacker
MSIT: "If the attacker viewed the data, it falls within the scope of the breach"
The government has released its first official investigation results on Coupang's massive personal data breach. It has been confirmed that 33.67 million items of personal information, including Coupang users' names and email addresses, were leaked. During this process, it was revealed that the attacker viewed the delivery address information page more than 148 million times, raising concerns that the scope of the breach could be even larger. The delivery address information included contact numbers, delivery addresses, and apartment entrance passwords masked with special characters. The investigation also confirmed that Coupang delayed reporting the incident and violated a data preservation order.
On the afternoon of the 10th, the Ministry of Science and ICT held a briefing at the Government Complex Seoul in Jongno-gu, Seoul, and announced these findings from the public-private joint investigation team (hereinafter the “joint investigation team”) into the Coupang breach. The joint investigation team analyzed a total of 25.6TB of Coupang access logs covering the period from November 29, 2024 to December 31 of last year.
Choi Woohyuk, Director of the Information Protection and Network Policy Office at the Ministry of Science and ICT, is announcing the results of the public-private joint investigation into the Coupang breach at the Government Complex Seoul in Jongno-gu, Seoul on Feb. 10, 2026. Photo by Jo Yongjun
About 33.67 million user records confirmed leaked
According to the joint investigation team, the attacker sent two emails to Coupang in November last year, stating that information had been leaked from Coupang. The emails contained some of the leaked data, including: ▲ names and email addresses from the "Edit My Information" page ▲ names, phone numbers, addresses, and apartment entrance passwords from the "Delivery Address List" page ▲ information on items ordered by users from the "Order List" page.
The joint investigation team found that approximately 33.67 million user records containing names and email addresses were leaked from the "Edit My Information" page. This figure is similar to the roughly 33.7 million personal information records that Coupang identified and disclosed in its own investigation in November last year. However, this does not include the leakage of about 165,000 additional accounts that Coupang revealed on the 5th of this month.
The core problem is that the attacker viewed Coupang members' "Delivery Address List" page about 148 million times. This page includes the recipient's name, phone number, delivery address, and the apartment entrance password masked with special characters. The attacker also viewed the "Edit Delivery Address List" page, which contains the name, phone number, delivery address, and apartment entrance password, 50,474 times. Unlike the delivery address list page, the edit page displays the apartment entrance password in plain text without masking. The users' order histories were also exposed.
The attacker viewed delivery address information about 148 million times, expanding the scope of the breach
There are particular concerns that the scale of the information breach could be even larger, given that many members store delivery address information for multiple locations under a single account. Currently, Coupang allows up to 20 delivery addresses to be stored per account. The joint investigation team also stated that, in many cases, information such as the names, phone numbers, and delivery addresses of family members and acquaintances, in addition to the account holder, was included.
Even though the attacker viewed the delivery address lists and related pages more than 140 million times, it is difficult to conclude that 140 million separate accounts were breached, because the same user's information may have been accessed repeatedly. However, since delivery address information can include the names, phone numbers, and addresses of not only the Coupang account holder but also family members and acquaintances, there remains a possibility that the scope of damage could expand beyond what is currently known. Choi Woohyeok, Director-General of the Information Security and Network Policy Office at the Ministry of Science and ICT, explained, "Under the guidelines of the Personal Information Protection Act, the fact that an attacker has viewed the data can be regarded as indicating a potential leakage of that information."
Accordingly, the actual number of leaked personal information records will be finalized and announced by the Personal Information Protection Commission after it completes its investigation. The leakage scale that the joint investigation team disclosed on this day was calculated based on web access logs and related records. An official from the Personal Information Protection Commission said, "The investigation is still ongoing, so it is difficult to specify when it will be completed," adding, "We will announce the results when the investigation and sanctions are finalized."
The joint investigation team also confirmed that financial payment information such as card numbers and bank account numbers stored in Coupang Pay had not been leaked. No secondary damage caused by the leaked information has been identified. A forensic analysis of the storage devices from the attacker's PC showed that the attacker had written an attack script that collected the leaked information and enabled transmission to an external server. However, whether the data was actually transmitted could not be confirmed, as no records of such transmission remained.
The attacker forged and altered electronic access passes... used 2,313 IP addresses
In addition, the joint investigation team conducted a comprehensive analysis of relevant materials, including Coupang's web and application (app) access logs. It also carried out forensic analyses of the attacker's PC storage devices submitted by Coupang (two HDDs and two SSDs), as well as the laptops currently used by Coupang developers. The team further examined the company's enterprise-wide information security management system.
As previously known, the attacker was a software (SW) developer who, while employed at Coupang, was responsible for designing and developing the user authentication system for system failure response and backup purposes. The joint investigation team explained that the attacker exploited an authentication vulnerability on Coupang's servers, accessed user accounts abnormally without a legitimate login, and leaked the information without authorization.
To access Coupang's management servers, a user must log in and obtain a kind of "electronic access pass." Coupang's gateway servers validate the issued electronic access pass and allow service access only if it is deemed valid. However, the attacker stole the signing key of the user authentication system he had managed while employed at Coupang, and by forging and altering the electronic access passes, bypassed Coupang's authentication framework. After conducting preliminary tests for the full-scale attack, he then used an automated web crawling attack tool to exfiltrate large volumes of data. In the process, the attacker used a total of 2,313 Internet Protocol (IP) addresses.
"Coupang had no procedure to verify forgery or alteration of electronic access passes"
The joint investigation team found that Coupang had no procedure in place to verify whether an electronic access pass had been forged or altered. Furthermore, when a staff member in charge of such work leaves the company, there should be a renewal process to ensure that the relevant signing key can no longer be used, but the related systems and procedures were inadequate. The team also confirmed that although issuance records should be logged and managed to enable systematic control of signing keys, the absence of a key history management system made it impossible to detect use for unauthorized purposes.
Coupang has suffered a massive personal data breach affecting more than 30 million records. This exceeds the economically active population of 29.69 million people, making it the worst data breach on record. Photo of Coupang headquarters on the 1st. 2025.12.01 Photo by Yoon Dongju
Instances of Coupang violating legal requirements were also identified. Under the Act on Promotion of Information and Communications Network Utilization and Information Protection, a company must report a breach to the Ministry of Science and ICT or the Korea Internet & Security Agency (KISA) within 24 hours of becoming aware of it. However, Coupang did not report the incident to KISA until two days after it was first reported to the Chief Information Security Officer (CISO).
Coupang also failed to comply with the government's data preservation order. To analyze the cause of the breach, the Ministry of Science and ICT ordered data preservation in November last year, but Coupang did not adjust its automatic log retention policy, resulting in the deletion of about five months' worth of web access logs. App access logs for the period from May 23 to June 2 last year were also deleted.
The government plans to impose an administrative fine for the delayed reporting of the breach. It has also referred Coupang's failure to comply with the data preservation order to law enforcement agencies for investigation.
Additionally, the investigation team confirmed that although Coupang had obtained Information Security Management System (ISMS) and Personal Information Protection Management System certifications, it had inadequately implemented separation of duties according to access privileges and had failed to establish robust encryption policies, and it requested corrective measures. If Coupang does not make the required improvements, the government plans to issue a corrective order, and if that is not implemented, it will move to revoke the certifications.
Based on the findings of the joint investigation team, the Ministry of Science and ICT plans to require Coupang to submit an implementation plan for recurrence prevention measures within this month. It then intends to review Coupang's implementation status around June to July this year. If the implementation review identifies areas needing improvement, the government will order corrective actions.
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
