Engineer attacker had prior knowledge of authentication system vulnerabilities
Stole signing key and forged/tampered with "electronic access passes"
The joint investigation team has found that a former Coupang employee leaked approximately 33.67 million items of personal data, and that the perpetrator viewed around 150 million items of information such as delivery addresses, concluding that Coupang’s lax management of its authentication system was a key cause of the incident.
On Feb. 10 at the Government Complex Seoul, the Ministry of Science and ICT announced the findings of the joint public-private investigation team into the Coupang network breach and identified Coupang’s inadequate management system as the cause.
According to the government announcement, the attacker was a software developer (backend engineer) while employed at Coupang and, in the course of designing and developing the user authentication system, became aware of vulnerabilities in the user authentication framework and in the key management system.
Coupang’s gateway server should only allow access to users for whom an "electronic access pass" has been validly issued through an authentication procedure, but the investigation found that the related verification steps were absent.
In addition, because the signing key managed by Coupang is a tool used to issue "electronic access passes," it should have been subject to a systematic and rigorous management regime, but this was not the case. When the staff member in charge leaves the company, a key rotation procedure should be carried out so that the relevant signing key can no longer be used, but the investigation found that the related system and procedures were insufficient.
After leaving the company, the attacker used the signing key and internal information stolen while employed to forge and tamper with "electronic access passes." The attacker then bypassed Coupang’s authentication system without going through a normal login procedure and carried out preliminary tests in preparation for the full-scale attack.
Once the attacker confirmed through these preliminary tests that user accounts could be accessed, they used an automated web crawling (data collection) attack tool to exfiltrate large volumes of information. The investigation found that a total of 2,313 internet protocol (IP) addresses were used in this process.
Choi Woohyeok, Director General for Information Protection and Network Policy at the Ministry of Science and ICT, is announcing the results of the joint public-private investigation into the Coupang breach at the Government Complex Seoul in Jongno-gu, Seoul on Feb. 10, 2026. Photo by Cho Yongjun
In particular, the investigation team stated that a forensic analysis of the attacker’s PC storage devices (two HDDs and two SSDs) confirmed that the attacker had written attack scripts capable of collecting information and transmitting it to external servers. It also confirmed that the attacker had implemented a function to transmit the stolen data to an overseas cloud server after illicitly accessing other users’ accounts using forged "electronic access passes."
However, the investigation team explained that there were no remaining records to determine whether such transmissions were actually carried out.
The investigation team urged, "Coupang must introduce a detection and blocking system for 'electronic access passes' that have not gone through a legitimate issuance process, and must also prepare fundamental remediation measures for the vulnerabilities identified in penetration testing." It added, "Under its own internal rules, Coupang stipulates that signing keys must be stored only in the 'key management system' and must not be stored on developers’ PCs (such as hard-coded in source code), but a Coupang developer who is currently employed is storing a signing key on a laptop, creating a risk of key leakage and misuse."
Furthermore, when the investigation team reviewed Coupang’s Information Security Management System and Personal Information Management System certification (ISMS-P), it found that Coupang has not separated development from operations and is granting developers access rights to the live, operational "key management system," which requires improvement.
The investigation team stated, "Coupang must strengthen its key management and control framework, clarify its operational management standards, and conduct continuous inspections," adding, "It must also enhance monitoring to detect abnormal access behavior and establish a log storage and management policy suited to purposes such as analyzing the cause of incidents and identifying the scale of damage."
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
